Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.1
CVSSv3

CVE-2017-9506

Published: 23/08/2017 Updated: 10/05/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8
VMScore: 385
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Atlassian

Vulnerability Summary

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote malicious users to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

atlassian oauth 1.3.3

atlassian oauth 1.3.4

atlassian oauth 1.3.5

atlassian oauth 1.3.6

atlassian oauth 1.6.0

atlassian oauth 1.6.1

atlassian oauth 1.7.0

atlassian oauth 1.8.0

atlassian oauth 1.9.5

atlassian oauth 1.9.6

atlassian oauth 1.9.7

atlassian oauth 1.9.8

atlassian oauth 1.4.0

atlassian oauth 1.4.1

atlassian oauth 1.5.0

atlassian oauth 1.8.4

atlassian oauth 1.8.5

atlassian oauth 1.9.0

atlassian oauth 2.0.1

atlassian oauth 2.0.2

atlassian oauth 2.0.3

atlassian oauth 1.3.0

atlassian oauth 1.3.2

atlassian oauth 1.3.7

atlassian oauth 1.3.9

atlassian oauth 1.8.1

atlassian oauth 1.8.3

atlassian oauth 1.9.2

atlassian oauth 1.9.4

atlassian oauth 1.9.9

atlassian oauth 1.9.11

atlassian oauth 1.3.1

atlassian oauth 1.3.8

atlassian oauth 1.3.10

atlassian oauth 1.8.2

atlassian oauth 1.9.1

atlassian oauth 1.9.3

atlassian oauth 1.9.10

atlassian oauth 2.0.0

Vendor Advisories

Check Point Security Alerts: Atlassian OAuth Plugin Server Side Request Forgery (CVE-2017-9506)
Check Point Reference: CPAI-2017-1802 Date Published: 11 Feb 2024 Severity: Medium ...

Github Repositories

https://github.com/pwn1sher/jira-ssrf

CVE-2017-9506

jira-ssrf CVE-2017-9506 The IconUriServlet of the Atlassian OAuth Plugin from version 130 before version 1912 and from version 200 before version 204 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF)

https://github.com/0x48piraj/Jiraffe

One stop place for exploiting Jira instances in your proximity

Jiraffe Jiraffe - One stop place for exploiting all Jira instances in your proximity Installation    |    Usage    |    Demo    |    Documentation Features Jiraffe is a sem

https://github.com/Rituraj-Vishwakarma/Scan-Jira

Jira-Scan ONLY TESTED WITH PYTHON 3 Provide a list of websites to test with out the http or https and this will test each one for the SSRF vun CVE-2017-9506 The IconUriServlet of the Atlassian OAuth Plugin from version 130 before version 1912 and from version 200 before version 204 allows remote attackers to access the content of internal network resources and/or perf

https://github.com/labsbots/CVE-2017-9506

Atlassian Jira XSS attack via Server Side Request Forgery (SSRF).

Proof of Concept SSRF & XSS jirayoucom//plugins/servlet/oauth/users/icon-uri?consumerUri=wwwgooglecouk CVE-2017-9506 The IconUriServlet of the Atlassian OAuth Plugin from version 130 before version 1912 and from version 200 before version 204 allows remote attackers to access the content of internal net

https://github.com/random-robbie/Jira-Scan

CVE-2017-9506 - SSRF

Jira-Scan ONLY TESTED WITH PYTHON 3 Provide a list of websites to test with out the http or https and this will test each one for the SSRF vun Use a VPS from DO CVE-2017-9506 The IconUriServlet of the Atlassian OAuth Plugin from version 130 before version 1912 and from version 200 before version 204 allows remote attackers to access the content of internal network re

https://github.com/0x48piraj/jiraffe

One stop place for exploiting Jira instances in your proximity

Jiraffe Jiraffe - One stop place for exploiting all Jira instances in your proximity Installation    |    Usage    |    Demo    |    Documentation Features Jiraffe is a sem

References

CWE-918https://ecosystem.atlassian.net/browse/OAUTH-344https://twitter.com/ankit_anubhav/status/973566620676382721http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.htmlhttps://twitter.com/Zer0Security/status/983529439433777152https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3https://nvd.nist.govhttps://github.com/pwn1sher/jira-ssrfhttps://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2017-1802.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook