Oauth_callback_confirmed missing from OAuth 1 Request Token response

According to https://developer.atlassian.com/server/jira/platform/oauth/ JIRA Server implements OAuth 1.0a. But with a JIRA Server 8.13.10 installation we need to authenticate against, we run into the problem that oauth_callback_confirmed from the Request Token response, which an OAuth 1.0a Service Provider “MUST” send (OAuth Core 1.0a), is missing. This is new in OAuth 1.0a compared to OAuth 1.0, which also fixes a severe security vulnerability (link will follow).

Does JIRA Server only implement the vulnerable OAuth 1.0 standard and not the fixed 1.0a version?

Promised link explaining the security vulnerability: OAuth Security Advisory 2009.1 — OAuth (was unable to include this in the first message, due to restrictions for new users)