[OAUTH-344] The icon-uri servlet allows arbitrary HTTP requests to be proxied - CVE-2017-9506 - Ecosystem Jira

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.0
Fix Version/s: 2.0.4, 1.9.12
Component/s: None
Labels:

Sprint:

Description

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw can used to access to a metadata resource that provides access credentials and other potentially confidential information.

Attachments

Issue links

is related to: BAM-18654 Loading...; CONFSERVER-53362 Loading...; JRASERVER-65862 Loading...; BSERV-9649 Loading...; CWD-4883 Loading...

relates to: PS-23476 Loading...; CRUC-8042 Loading...; FE-6885 Loading...

Show 3 more links (3 relates to)

Activity

People

Assignee:

Petro Semeniuk (Inactive)

Reporter:

David Black

Votes:

0 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

30/May/17 6:58 PM

Updated:

21/Mar/18 8:09 AM

Resolved:

30/May/17 6:58 PM