CVE-2017-9506
N/A
N/A
Summary
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Atlassian | Atlassian OAuth Plugin | From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4. | affected |
Weaknesses
- Server-Side Request Forgery
ADP Enrichment
CVE Program Container
Additional References
- http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
- https://twitter.com/ankit_anubhav/status/973566620676382721
- https://ecosystem.atlassian.net/browse/OAUTH-344
- https://twitter.com/Zer0Security/status/983529439433777152
- https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
- https://twitter.com/ankit_anubhav/status/973566620676382721
- https://ecosystem.atlassian.net/browse/OAUTH-344
- https://twitter.com/Zer0Security/status/983529439433777152
- https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.