Vulnerability Description
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Oauth | 1.3.0 |
Related Weaknesses (CWE)
References
- http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.htmlExploitThird Party Advisory
- https://ecosystem.atlassian.net/browse/OAUTH-344Issue TrackingVendor Advisory
- https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgerBroken LinkThird Party Advisory
- https://twitter.com/Zer0Security/status/983529439433777152ExploitThird Party Advisory
- https://twitter.com/ankit_anubhav/status/973566620676382721ExploitThird Party Advisory
- http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.htmlExploitThird Party Advisory
- https://ecosystem.atlassian.net/browse/OAUTH-344Issue TrackingVendor Advisory
- https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgerBroken LinkThird Party Advisory
- https://twitter.com/Zer0Security/status/983529439433777152ExploitThird Party Advisory
- https://twitter.com/ankit_anubhav/status/973566620676382721ExploitThird Party Advisory
FAQ
What is CVE-2017-9506?
CVE-2017-9506 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network ...
How severe is CVE-2017-9506?
CVE-2017-9506 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-9506?
Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Oauth.