SSRF in Atlassian Oauth Plugin
CVE-2017-9506
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.716 (99.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
Affected products
- Atlassian Oauth Plugin — versions From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4.
- Atlassian Oauth — versions 1.3.0, 1.3.1, 1.3.2
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security@atlassian.com (Exploit, Third Party Advisory, x_refsource_MISC)
- security@atlassian.com (Exploit, Third Party Advisory, x_refsource_MISC)
- security@atlassian.com (x_refsource_MISC, Issue Tracking, Vendor Advisory)
- security@atlassian.com (Exploit, Third Party Advisory, x_refsource_MISC)
- security@atlassian.com (Third Party Advisory, x_refsource_MISC, Broken Link)
Frequently asked questions
- What is CVE-2017-9506?
- CVE-2017-9506 is a medium-severity vulnerability in Atlassian Oauth Plugin, classified under Server-Side Request Forgery (SSRF). CVSS score: 6.1/10. Published 2017-08-23.
- How severe is CVE-2017-9506?
- Medium severity. CVSS v3 base score is 6.1 out of 10.
- Is CVE-2017-9506 known to be exploited?
- 37 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.