Medium severity6.1NVD Advisory· Published Aug 23, 2017· Updated May 13, 2026

CVE-2017-9506

Description

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).

Affected products

Atlassian/OAuth48 versions
cpe:2.3:a:atlassian:oauth:1.3.0:*:*:*:*:*:*:*+ 47 more
- cpe:2.3:a:atlassian:oauth:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.4.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.4.0:m2:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.5.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.5.0:m3:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.6.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.6.0:m4:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.0:m1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.0:m2:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:1.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:oauth:2.0.3:*:*:*:*:*:*:*
Atlassian/Atlassian OAuth Pluginv5
Range: From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.htmlnvdExploitThird Party Advisory
twitter.com/Zer0Security/status/983529439433777152nvdExploitThird Party Advisory
twitter.com/ankit_anubhav/status/973566620676382721nvdExploitThird Party Advisory
ecosystem.atlassian.net/browse/OAUTH-344nvdIssue TrackingVendor Advisory
medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3nvdBroken LinkThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.023
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000