We're updating the issue view to help you get more done. 

The icon-uri servlet allows arbitrary HTTP requests to be proxied - CVE-2017-9506

Description

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw can used to access to a metadata resource that provides access credentials and other potentially confidential information.

Environment

None

Testing Notes

None

Status

Assignee

Petro Semeniuk

Reporter

David

Add-on Type

None

Team

None

CC

None

Risk factor

None

QA Kickoff Status

None

QA Demo Status

None

Fix versions

Affects versions

1.3.0

Priority

Major