Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Atlassian OAuth Plugin by Atlassian

    CVE-2017-9506 (GCVE-0-2017-9506)

    Vulnerability from nvd – Published: 2017-08-23 19:00 – Updated: 2024-10-16 14:03
    VLAI Shadowserver
    Summary
    The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Server-Side Request Forgery
    Assigner
    Impacted products
    Vendor Product Version
    Atlassian Atlassian OAuth Plugin Affected: From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4.
    Create a notification for this product.
    Date Public
    2017-05-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T17:11:01.834Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://twitter.com/Zer0Security/status/983529439433777152"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2017-9506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:02:53.950017Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T14:03:06.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Atlassian OAuth Plugin",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "affected",
                  "version": "From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4."
                }
              ]
            }
          ],
          "datePublic": "2017-05-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-10T06:57:01.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://twitter.com/Zer0Security/status/983529439433777152"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2017-05-31T00:00:00",
              "ID": "CVE-2017-9506",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Atlassian OAuth Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF)."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Server-Side Request Forgery"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html",
                  "refsource": "MISC",
                  "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"
                },
                {
                  "name": "https://twitter.com/ankit_anubhav/status/973566620676382721",
                  "refsource": "MISC",
                  "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"
                },
                {
                  "name": "https://ecosystem.atlassian.net/browse/OAUTH-344",
                  "refsource": "MISC",
                  "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"
                },
                {
                  "name": "https://twitter.com/Zer0Security/status/983529439433777152",
                  "refsource": "MISC",
                  "url": "https://twitter.com/Zer0Security/status/983529439433777152"
                },
                {
                  "name": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3",
                  "refsource": "MISC",
                  "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2017-9506",
        "datePublished": "2017-08-23T19:00:00.000Z",
        "dateReserved": "2017-06-07T00:00:00.000Z",
        "dateUpdated": "2024-10-16T14:03:06.883Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-9506 (GCVE-0-2017-9506)

    Vulnerability from cvelistv5 – Published: 2017-08-23 19:00 – Updated: 2024-10-16 14:03
    VLAI Shadowserver
    Summary
    The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Server-Side Request Forgery
    Assigner
    Impacted products
    Vendor Product Version
    Atlassian Atlassian OAuth Plugin Affected: From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4.
    Create a notification for this product.
    Date Public
    2017-05-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T17:11:01.834Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://twitter.com/Zer0Security/status/983529439433777152"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2017-9506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:02:53.950017Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T14:03:06.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Atlassian OAuth Plugin",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "affected",
                  "version": "From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4."
                }
              ]
            }
          ],
          "datePublic": "2017-05-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-10T06:57:01.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://twitter.com/Zer0Security/status/983529439433777152"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2017-05-31T00:00:00",
              "ID": "CVE-2017-9506",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Atlassian OAuth Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF)."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Server-Side Request Forgery"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html",
                  "refsource": "MISC",
                  "url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"
                },
                {
                  "name": "https://twitter.com/ankit_anubhav/status/973566620676382721",
                  "refsource": "MISC",
                  "url": "https://twitter.com/ankit_anubhav/status/973566620676382721"
                },
                {
                  "name": "https://ecosystem.atlassian.net/browse/OAUTH-344",
                  "refsource": "MISC",
                  "url": "https://ecosystem.atlassian.net/browse/OAUTH-344"
                },
                {
                  "name": "https://twitter.com/Zer0Security/status/983529439433777152",
                  "refsource": "MISC",
                  "url": "https://twitter.com/Zer0Security/status/983529439433777152"
                },
                {
                  "name": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3",
                  "refsource": "MISC",
                  "url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2017-9506",
        "datePublished": "2017-08-23T19:00:00.000Z",
        "dateReserved": "2017-06-07T00:00:00.000Z",
        "dateUpdated": "2024-10-16T14:03:06.883Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }