cbcvebase.
CVE-2017-9506
published 2017-08-23

CVE-2017-9506: The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers…

PriorityP181medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
71.60%
99.3th percentile
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
atlassianatlassian_oauth_plugin
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth
atlassianoauth

Detection & IOCsextracted from sources · hover to see the quote

url/plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}}
url/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/hostname
url/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/public-ipv4
path/plugins/servlet/oauth/users/icon-uri
  • Monitor HTTP requests to the IconUriServlet endpoint path `/plugins/servlet/oauth/users/icon-uri` with a `consumerUri` query parameter pointing to internal/SSRF targets (e.g., RFC1918 addresses, 169.254.169.254, or out-of-band callback URLs).
  • Detect SSRF attempts targeting AWS instance metadata service via the `consumerUri` parameter value containing `169.254.169.254`.
  • Use Shodan queries `http.component:"Atlassian Jira"` or `http.component:"atlassian jira"` to identify exposed vulnerable Jira instances.
  • Confirm exploitation via out-of-band HTTP interaction: a successful SSRF will trigger an outbound HTTP request from the server to the attacker-controlled `consumerUri` destination.
  • Attacker can perform cross-port scanning (XSPA) by assessing response times for ports via the `consumerUri` parameter, enabling internal network enumeration.
  • ·Vulnerable versions are Atlassian OAuth Plugin 1.3.0 – <1.9.12 and 2.0.0 – <2.0.4. Instances running patched versions are not affected.
  • ·The vulnerability is exploitable without authentication (PR:N) but requires user interaction (UI:R) per CVSS scoring, meaning some attack vectors may require a victim to trigger the request.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.