The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
References
Link | Resource |
---|---|
http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html | Exploit Third Party Advisory |
https://ecosystem.atlassian.net/browse/OAUTH-344 | Issue Tracking Vendor Advisory |
https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3 | Broken Link Third Party Advisory |
https://twitter.com/Zer0Security/status/983529439433777152 | Exploit Third Party Advisory |
https://twitter.com/ankit_anubhav/status/973566620676382721 | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2017-08-23 19:29
Updated : 2024-02-28 16:04
NVD link : CVE-2017-9506
Mitre link : CVE-2017-9506
CVE.ORG link : CVE-2017-9506
JSON object : View
Products Affected
atlassian
- oauth
CWE
CWE-918
Server-Side Request Forgery (SSRF)