{"id":"CVE-2017-9506","details":"The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).","modified":"2026-04-10T04:02:41.415644Z","published":"2017-08-23T19:29:00.197Z","references":[{"type":"ADVISORY","url":"https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"},{"type":"REPORT","url":"https://ecosystem.atlassian.net/browse/OAUTH-344"},{"type":"EVIDENCE","url":"https://twitter.com/ankit_anubhav/status/973566620676382721"},{"type":"EVIDENCE","url":"http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"},{"type":"EVIDENCE","url":"https://twitter.com/Zer0Security/status/983529439433777152"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/atlassian/atlassian-oauth","events":[{"introduced":"0"},{"last_affected":"90003c7a83c711e2fb614ee5606852138ea1aa24"},{"introduced":"0"},{"last_affected":"59177f8bce837e3bd9a12b5a0145ce64d04d388e"},{"introduced":"0"},{"last_affected":"dba3422777a96b6349f87d3936f2e05e93774a7d"},{"introduced":"0"},{"last_affected":"68e8732054399829d202f76dd8b82b0b543a1bbe"},{"introduced":"0"},{"last_affected":"18603e87f614061fcc39200ea44545302a5553cd"},{"introduced":"0"},{"last_affected":"1d86fda7f1843fda182fa15c2703a1df150e41dd"},{"introduced":"0"},{"last_affected":"98f1d8572f4005f37c24b5d21cd58f86b168283c"},{"introduced":"0"},{"last_affected":"cd2b6f395cee4cd22b482764fea9d4b38343c521"},{"introduced":"0"},{"last_affected":"76d5f5b4827eaedf9e8e5dcb69e800607c6e615d"},{"introduced":"0"},{"last_affected":"22a6fc3dc40506532681b9663bba21d67c7a4a2d"},{"introduced":"0"},{"last_affected":"ba0852f9abd29ec931c10c0b3404d2db91ecd4ac"},{"introduced":"0"},{"last_affected":"b0b7147fbfb4471975b6efc63e1f4ca1c6af9d3a"},{"introduced":"0"},{"last_affected":"f190cbba70a6f58d03666e78c29d33493a0afb52"},{"introduced":"0"},{"last_affected":"0fae1d589d62260f893c3c2c0f8818d3229d2fcc"},{"introduced":"0"},{"last_affected":"50f8ab0778f5e9afc821d524c7fad3984d20dfc9"},{"introduced":"0"},{"last_affected":"ec84b1697760a3e801fd4ba4b31dd7f05592a9b9"},{"introduced":"0"},{"last_affected":"cd8b3674bdc095a05ceb466707bc528b8ffc5fd9"},{"introduced":"0"},{"last_affected":"4d61f52b293bfac278b30c3b5448595ed7a20b8f"},{"introduced":"0"},{"last_affected":"f3c1571d97011c166e9fa0587b6ac70ca8510d39"},{"introduced":"0"},{"last_affected":"657fc3a7029c9042fd8efb48f4e5a2fca4723275"},{"introduced":"0"},{"last_affected":"a01121da9face7147b4b976a714d6b308720e841"},{"introduced":"0"},{"last_affected":"71bedd3bb9ab1aa7b1b8314a4a1a625aa0c55350"},{"introduced":"0"},{"last_affected":"280731d926e432925173243f0641b9c738b753e1"},{"introduced":"0"},{"last_affected":"fc321f9c51fad856e02a6937a089c8e1e683fadc"},{"introduced":"0"},{"last_affected":"be2ae983a29ea7d6151ec4c0b8b92eab2d716a1b"},{"introduced":"0"},{"last_affected":"f10243f2bdaddeb79ac3f6d39a4631068e9aa122"},{"introduced":"0"},{"last_affected":"49e62191bc5fb056cd4d5f85bac20388362c3dc5"},{"introduced":"0"},{"last_affected":"a996eca2a347a70ed05586bd4a41e99ba4d5cdd5"},{"introduced":"0"},{"last_affected":"9857dec428f24a30f53a53d24b92e6eaea128cda"},{"introduced":"0"},{"last_affected":"01b7db00edbd32f297fe00f7b8e14ef99fc0e476"},{"introduced":"0"},{"last_affected":"89b48fac5cd3f463aa745e1bf6a0687042557553"},{"introduced":"0"},{"last_affected":"0d55d7b949f5e6028ed45f6747841cc0611ed68b"},{"introduced":"0"},{"last_affected":"e96308f7b020d05dda2dc09fcd78536c354f7231"},{"introduced":"0"},{"last_affected":"5b7dc7f934ec554f7b65e971bd3dbae4049614a5"},{"introduced":"0"},{"last_affected":"bd0e2d35aa5579ccd497c23eb682ebc1f960e4b8"},{"introduced":"0"},{"last_affected":"11fb661f88722df187bbda6ee8ac5f0022c3295f"},{"introduced":"0"},{"last_affected":"06ec6b3b56229dfb5c7d5fe564857cd4a6a62e1e"},{"introduced":"0"},{"last_affected":"6c4ecde10bfcf5db06fc4324c5f872d8bd303ad2"},{"introduced":"0"},{"last_affected":"800ce484a663897efd4b2086b51dca1f0e75c5f4"},{"introduced":"0"},{"last_affected":"b162f484aed53a1d79b98197ca5dde077ba689b4"},{"introduced":"0"},{"last_affected":"7ba583b1632876f4e0cd423afa8981017cf8242c"},{"introduced":"0"},{"last_affected":"b36a7cce0205302e9aeb4c1252998b309df47966"},{"introduced":"0"},{"last_affected":"48407d2e131d2c5271f64e8a9a005956c3f6aaf1"},{"introduced":"0"},{"last_affected":"94a70d436f4978ea5b0fc835fbdfc8dc4434125f"},{"introduced":"0"},{"last_affected":"4644f123d97a3fc84c9f2bca82dc3763da35fcc1"},{"introduced":"0"},{"last_affected":"d8a44e1273fa4c0923e3fa5c9a01654ad33e3980"},{"introduced":"0"},{"last_affected":"92b100999079d0e48497b67a8fb12f79fb712a5e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.3.0"},{"introduced":"0"},{"last_affected":"1.3.1"},{"introduced":"0"},{"last_affected":"1.3.2"},{"introduced":"0"},{"last_affected":"1.3.3"},{"introduced":"0"},{"last_affected":"1.3.4"},{"introduced":"0"},{"last_affected":"1.3.5"},{"introduced":"0"},{"last_affected":"1.3.6"},{"introduced":"0"},{"last_affected":"1.3.7"},{"introduced":"0"},{"last_affected":"1.3.8"},{"introduced":"0"},{"last_affected":"1.3.9"},{"introduced":"0"},{"last_affected":"1.3.10"},{"introduced":"0"},{"last_affected":"1.4.0"},{"introduced":"0"},{"last_affected":"1.4.0-m1"},{"introduced":"0"},{"last_affected":"1.4.0-m2"},{"introduced":"0"},{"last_affected":"1.4.1"},{"introduced":"0"},{"last_affected":"1.5.0"},{"introduced":"0"},{"last_affected":"1.5.0-m1"},{"introduced":"0"},{"last_affected":"1.5.0-m3"},{"introduced":"0"},{"last_affected":"1.6.0"},{"introduced":"0"},{"last_affected":"1.6.0-m1"},{"introduced":"0"},{"last_affected":"1.6.0-m4"},{"introduced":"0"},{"last_affected":"1.6.1"},{"introduced":"0"},{"last_affected":"1.7.0"},{"introduced":"0"},{"last_affected":"1.8.0"},{"introduced":"0"},{"last_affected":"1.8.0-m1"},{"introduced":"0"},{"last_affected":"1.8.1"},{"introduced":"0"},{"last_affected":"1.8.2"},{"introduced":"0"},{"last_affected":"1.8.3"},{"introduced":"0"},{"last_affected":"1.8.4"},{"introduced":"0"},{"last_affected":"1.8.5"},{"introduced":"0"},{"last_affected":"1.9.0-m1"},{"introduced":"0"},{"last_affected":"1.9.0-m2"},{"introduced":"0"},{"last_affected":"1.9.1"},{"introduced":"0"},{"last_affected":"1.9.2"},{"introduced":"0"},{"last_affected":"1.9.3"},{"introduced":"0"},{"last_affected":"1.9.4"},{"introduced":"0"},{"last_affected":"1.9.5"},{"introduced":"0"},{"last_affected":"1.9.6"},{"introduced":"0"},{"last_affected":"1.9.7"},{"introduced":"0"},{"last_affected":"1.9.8"},{"introduced":"0"},{"last_affected":"1.9.9"},{"introduced":"0"},{"last_affected":"1.9.10"},{"introduced":"0"},{"last_affected":"1.9.11"},{"introduced":"0"},{"last_affected":"2.0.0"},{"introduced":"0"},{"last_affected":"2.0.1"},{"introduced":"0"},{"last_affected":"2.0.2"},{"introduced":"0"},{"last_affected":"2.0.3"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9506.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}