CVE-2017-9506
published 2017-08-23CVE-2017-9506: The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers…
PriorityP181medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
71.60%
99.3th percentile
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | atlassian_oauth_plugin | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
| atlassian | oauth | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}}
url/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/hostname↗
url/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/public-ipv4↗
path/plugins/servlet/oauth/users/icon-uri
- →Monitor HTTP requests to the IconUriServlet endpoint path `/plugins/servlet/oauth/users/icon-uri` with a `consumerUri` query parameter pointing to internal/SSRF targets (e.g., RFC1918 addresses, 169.254.169.254, or out-of-band callback URLs).
- →Detect SSRF attempts targeting AWS instance metadata service via the `consumerUri` parameter value containing `169.254.169.254`. ↗
- →Use Shodan queries `http.component:"Atlassian Jira"` or `http.component:"atlassian jira"` to identify exposed vulnerable Jira instances.
- →Confirm exploitation via out-of-band HTTP interaction: a successful SSRF will trigger an outbound HTTP request from the server to the attacker-controlled `consumerUri` destination.
- →Attacker can perform cross-port scanning (XSPA) by assessing response times for ports via the `consumerUri` parameter, enabling internal network enumeration. ↗
- ·Vulnerable versions are Atlassian OAuth Plugin 1.3.0 – <1.9.12 and 2.0.0 – <2.0.4. Instances running patched versions are not affected. ↗
- ·The vulnerability is exploitable without authentication (PR:N) but requires user interaction (UI:R) per CVSS scoring, meaning some attack vectors may require a victim to trigger the request.
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wr82-63qc-g2h8: The IconUriServlet of the Atlassian OAuth Plugin from version 1
ghsa_unreviewed·2022-05-14
CVE-2017-9506 [MEDIUM] CWE-918 GHSA-wr82-63qc-g2h8: The IconUriServlet of the Atlassian OAuth Plugin from version 1
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
VulnCheck
Atlassian oauth Server-Side Request Forgery (SSRF)
vulncheck·2017·CVSS 6.1
CVE-2017-9506 [MEDIUM] Atlassian oauth Server-Side Request Forgery (SSRF)
Atlassian oauth Server-Side Request Forgery (SSRF)
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
Affected: Atlassian oauth
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-20
No detection rules found.
Nuclei
Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery
nuclei·CVSS 6.1
CVE-2017-9506 [MEDIUM] Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery
Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery
The Atlassian Jira IconUriServlet of the OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 contains a cross-site scripting vulnerability which allows remote attackers to access the content of internal network resources and/or perform an attack via Server Side Request Forgery.
Template:
id: CVE-2017-9506
info:
name: Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery
author: pdteam
severity: medium
description: The Atlassian Jira IconUriServlet of the OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 contains a cross-site scripting vulnerability which allows remote attackers to access
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
# Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from di
HackerOne
SSRF on █████████ Allowing internal server data access
hackerone·2019-10-08·CVSS 6.1
[MEDIUM] SSRF on █████████ Allowing internal server data access
SSRF on █████████ Allowing internal server data access
**Summary:**
An end point on ██████ allows an internal access to the network thus revealing sensitive data and allowing internal tunneling
**Description:**
OAuth Plugin allows you to provide a url that gives a snap shot of the web page. We can pass internal URLS and conduct SSRF.
## Impact
Critical
## Step-by-step Reproduction Instructions
https://███████/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/hostname
We can see the follow data
ip-172-31-12-254.█████████.compute.internal
https://████████/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/public-ipv4
███████
## Product, Version, and Configuration (If applicable)
Jira
## Suggested Mitigation/Remedi
http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.htmlhttps://ecosystem.atlassian.net/browse/OAUTH-344https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3https://twitter.com/Zer0Security/status/983529439433777152https://twitter.com/ankit_anubhav/status/973566620676382721http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.htmlhttps://ecosystem.atlassian.net/browse/OAUTH-344https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3https://twitter.com/Zer0Security/status/983529439433777152https://twitter.com/ankit_anubhav/status/973566620676382721
2017-08-23
Published
Exploited in the wild