{"containers": {"cna": {"affected": [{"product": "Atlassian OAuth Plugin", "vendor": "Atlassian", "versions": [{"status": "affected", "version": "From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4."}]}], "datePublic": "2017-05-31T00:00:00", "descriptions": [{"lang": "en", "value": "The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF)."}], "problemTypes": [{"descriptions": [{"description": "Server-Side Request Forgery", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-04-10T06:57:01", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"}, {"tags": ["x_refsource_MISC"], "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/Zer0Security/status/983529439433777152"}, {"tags": ["x_refsource_MISC"], "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2017-05-31T00:00:00", "ID": "CVE-2017-9506", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Atlassian OAuth Plugin", "version": {"version_data": [{"version_value": "From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4."}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Server-Side Request Forgery"}]}]}, "references": {"reference_data": [{"name": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html", "refsource": "MISC", "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"}, {"name": "https://twitter.com/ankit_anubhav/status/973566620676382721", "refsource": "MISC", "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"}, {"name": "https://ecosystem.atlassian.net/browse/OAUTH-344", "refsource": "MISC", "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"}, {"name": "https://twitter.com/Zer0Security/status/983529439433777152", "refsource": "MISC", "url": "https://twitter.com/Zer0Security/status/983529439433777152"}, {"name": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3", "refsource": "MISC", "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:11:01.834Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/Zer0Security/status/983529439433777152"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"}]}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2017-9506", "datePublished": "2017-08-23T19:00:00Z", "dateReserved": "2017-06-07T00:00:00", "dateUpdated": "2024-09-16T20:51:54.092Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:oauth:1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "6931470D-FCD0-4295-B526-72F9DC18F8D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "86DF4383-C75F-4C20-97AE-17024E59C85F", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "4CE7703F-28FA-49F3-B8F0-0EA19983534C", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "F1B1269B-D7F0-4AB9-A6A1-F5F09273C1E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "5F788273-7F50-4A5F-B194-9AF88AD5C83F", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "60D90C52-C6D4-4BA2-B16F-E24562AB35D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "74865E14-42E9-40C9-AA3E-33B00BCBAF90", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "7C4D0F79-ACD1-4356-BED4-F361D60633FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.8:*:*:*:*:*:*:*", "matchCriteriaId": "59F8F976-DA00-4618-8E54-60D6133AAB55", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.9:*:*:*:*:*:*:*", "matchCriteriaId": "E5826307-85F4-4C9D-A8C2-E736877F2487", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.3.10:*:*:*:*:*:*:*", "matchCriteriaId": "7408A0CF-58FC-4FC5-8406-9624C059F480", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "6A3CB417-E229-4D0E-AAE1-6A1708332DAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.4.0:m1:*:*:*:*:*:*", "matchCriteriaId": "6B25D52D-C926-4CE2-8FD7-08211FB5156F", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.4.0:m2:*:*:*:*:*:*", "matchCriteriaId": "1B45678B-D690-455B-82FB-29B5E6C92D99", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "5890D37F-7C5E-484C-BA9F-B101EE407535", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "9F8F9EE5-680F-4E96-8266-61F5EAD57F36", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.5.0:m1:*:*:*:*:*:*", "matchCriteriaId": "C15E96B8-D920-43B9-A587-9A6ED4CADDA2", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.5.0:m3:*:*:*:*:*:*", "matchCriteriaId": "68DC4126-C130-419F-8A1C-B50C4AB196F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E8BECD3F-26FD-4FF4-AB68-6597766C5784", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.6.0:m1:*:*:*:*:*:*", "matchCriteriaId": "03914A93-B432-4AE1-94C1-23C23C22E07E", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.6.0:m4:*:*:*:*:*:*", "matchCriteriaId": "441FE496-A2A8-478D-8AC0-6AE7210B8DFF", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "DF711A0D-7527-440D-9F54-32B2D550BFE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA6E4311-CDED-4D26-8258-0CA2106723C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "408339FF-21EB-44D8-BD26-E085AE83AC80", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.8.0:m1:*:*:*:*:*:*", "matchCriteriaId": "B60AA166-B682-4420-BC98-104A19E0F604", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "8278DDA7-4F73-4EDD-AA97-A1AB6806D6E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "09A9F674-3B94-4D3A-870E-F4488A00BDA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.8.3:*:*:*:*:*:*:*", "matchCriteriaId": "D4088D76-BA49-422A-B80F-BC4C7656C28E", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.8.4:*:*:*:*:*:*:*", "matchCriteriaId": "32804B74-92C4-4FAD-86D3-599108CC0E36", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.8.5:*:*:*:*:*:*:*", "matchCriteriaId": "919EB181-8A1D-4BBC-A847-F6320480EDC2", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "88F98ECB-402C-404B-B22D-9E145CC568F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.0:m1:*:*:*:*:*:*", "matchCriteriaId": "9B6A21E5-78A2-4C70-9EA2-0C3463647B98", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.0:m2:*:*:*:*:*:*", "matchCriteriaId": "70DD87A9-806B-4D01-876B-AFCCF57052ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "DA83C8C5-6AA5-4560-8839-297DF9A676DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "964D45DE-7F4D-41C4-AD3E-D14FF2906632", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "8944539B-B073-4308-91FF-84437D7AE220", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.4:*:*:*:*:*:*:*", "matchCriteriaId": "DC5AF81F-65A5-402A-9AFE-A414F969C1F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.5:*:*:*:*:*:*:*", "matchCriteriaId": "844330C2-A2C6-433A-9C28-5012FDF81423", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.6:*:*:*:*:*:*:*", "matchCriteriaId": "91E6952F-3742-4A9F-B6A3-E6469E1D3D6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.7:*:*:*:*:*:*:*", "matchCriteriaId": "A638EEDC-AEF5-4496-A006-E860E7C59926", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.8:*:*:*:*:*:*:*", "matchCriteriaId": "108C2E74-3300-47AD-940C-ADEF1613F380", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.9:*:*:*:*:*:*:*", "matchCriteriaId": "07B479B9-4299-4F54-8E6D-6EE9E860B4FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.10:*:*:*:*:*:*:*", "matchCriteriaId": "EDF046E0-0BAB-42D0-A7D2-4179EF6639EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:1.9.11:*:*:*:*:*:*:*", "matchCriteriaId": "554DF85D-5B54-42EC-B86E-94449C592C7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "CFFCCA48-CC4A-4B97-A1E2-17D26D88C47C", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "5D4A72A1-F335-4E22-B798-69B122145411", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "42C01D71-0E47-48C1-A55B-7548AD0178A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:oauth:2.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "F8466429-974C-4921-AE06-CE3DB2E6E48A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF)."}, {"lang": "es", "value": "IconUriServlet del plugin Atlassian OAuth desde la versi\u00f3n 1.3.0 y antes de la versi\u00f3n 1.9.12, y desde la versi\u00f3n 2.0.0 antes de la versi\u00f3n 2.0.4 permite que atacantes remotos accedan al contenido de los recursos de red internos y/o realizar un ataque XSS mediante Server Side Request Forgery (SSRF)."}], "id": "CVE-2017-9506", "lastModified": "2019-05-10T15:22:38.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-23T19:29:00.197", "references": [{"source": "security@atlassian.com", "tags": ["Exploit", "Third Party Advisory"], "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"}, {"source": "security@atlassian.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"}, {"source": "security@atlassian.com", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"}, {"source": "security@atlassian.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://twitter.com/Zer0Security/status/983529439433777152"}, {"source": "security@atlassian.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}