Vulnerability Details : CVE-2017-9506
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
Vulnerability category: Cross site scripting (XSS)Server-side request forgery (SSRF)
Products affected by CVE-2017-9506
- cpe:2.3:a:atlassian:oauth:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.6.0:m4:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.4.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.4.0:m2:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.5.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.0:m2:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.5.0:m3:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.6.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:2.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-9506
3.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-9506
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2017-9506
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-9506
-
https://ecosystem.atlassian.net/browse/OAUTH-344
[OAUTH-344] The icon-uri servlet allows arbitrary HTTP requests to be proxied - CVE-2017-9506 - Ecosystem JiraIssue Tracking;Vendor Advisory
-
https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
410 Deleted by author — MediumBroken Link;Third Party Advisory
-
https://twitter.com/ankit_anubhav/status/973566620676382721
Ankit Anubhav on Twitter: "#JIRA users, attention. Attackers are using JIRA exploit CVE-2017-9506 to get inside your network for data theft. Its sort of an open redirect vuln, but in some cases it canExploit;Third Party Advisory
-
http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
Don't Panic: There is a proxy in your Atlassian Product! (CVE-2017-9506)Exploit;Third Party Advisory
-
https://twitter.com/Zer0Security/status/983529439433777152
ZeroSecurity on Twitter: "Abusing CVE-2017-9506 to access internal services and #hacking the Department of the Defense in the process #DOD #Exploit #InfoSec https://t.co/WjMlHGYqt8"Exploit;Third Party Advisory
Jump to