CVE-2017-9506

Sažetak

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).

Reference

http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
https://ecosystem.atlassian.net/browse/OAUTH-344
https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
https://twitter.com/ankit_anubhav/status/973566620676382721
https://twitter.com/Zer0Security/status/983529439433777152

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

10-05-2019 - 15:22

Objavljeno

23-08-2017 - 19:29