CVE-2017-18096

CWE-918Server-Side Request Forgery (SSRF)3 documents3 sources
Severity
7.2HIGH
EPSS
0.2%
top 51.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Atlassian Atlassian Application LinksAtlassian Application Links
Timeline
PublishedApr 4
Latest updateMay 14

Description

The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location's OAuth status rest resource to an internal location. When running in an environment like Amazon EC2,

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDatlassian/application_links5.3.05.3.4+2
CVEListV5atlassian/atlassian_application_linksunspecified5.2.7+4

🔴Vulnerability Details

2
GHSA
GHSA-3jwg-839p-m5gf: The OAuth status rest resource in Atlassian Application Links before version 52022-05-14
CVEList
CVE-2017-18096: The OAuth status rest resource in Atlassian Application Links before version 52018-04-04
CVE-2017-18096 (HIGH CVSS 7.2) | The OAuth status rest resource in A | cvebase.io