Atlassian OAuth Plugin 1.3.0 < 1.9.12 / 2.0.0 < 2.0.4 Server-Side Request Forgery

medium Web Application Scanning Plugin ID 98999

Language:

Synopsis

Atlassian OAuth Plugin 1.3.0 < 1.9.12 / 2.0.0 < 2.0.4 Server-Side Request Forgery

Description

Atlassian OAuth Plugin from version 1.3.0 to 1.9.11 and from version 2.0.0 to 2.0.3 allows remote attackers to make the target application act as a proxy and perform requests to internal or external resources through the IconUriServlet.

Attackers may leverage this vulnerability to conduct cross-site scripting attacks or to gain access to sensitive information like metadata resources in a cloud-based environment.

The following Atlassian product versions are vulnerable:
- Bamboo < 6.0.0
- Bitbucket < 4.14.4
- Confluence < 6.1.3
- Crowd < 2.11.2
- Crucible & Fisheye < 4.3.2
- Jira < 7.3.5.

Solution

Upgrade at least to the Atlassian product versions bundled with a fixed version of the OAuth plugin : Bamboo version 6.0.0, Bitbucket version 4.14.4, Confluence version 6.1.3, Crowd version 2.11.2, Crucible & Fisheye version 4.3.2 and Jira version 7.3.5.

See Also

https://ecosystem.atlassian.net/browse/OAUTH-344

http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html

https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a

Plugin Details

Severity: Medium

ID: 98999

Type: remote

Published: 4/16/2020

Updated: 9/7/2021

Scan Template: pci, api, scan

Risk Information

VPR

Risk Factor: Low

Score: 3

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2017-9506

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: CVE-2017-9506

Vulnerability Information

CPE: cpe:2.3:a:atlassian:oauth:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Reference Information

CVE: CVE-2017-9506