CVE-2017-9506

🗓️ 23 Aug 2017 19:00:00Reported by atlassianType

Atlassian OAuth Plugin allows SSRF via IconUriServlet

Reporter	Title	Published	Views	Family All 26
Atlassian	The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506	30 Aug 201702:06	–	atlassian
Atlassian	The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506	21 Mar 201720:59	–	atlassian
Atlassian	The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506	30 Aug 201702:12	–	atlassian
Atlassian	The bundled Atlassian Activity Streams plugin had Improper Access control inside several rest inline action resource resource - CVE-2017-9506	21 Sep 201700:10	–	atlassian
Atlassian	The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506	30 Aug 201702:06	–	atlassian
Atlassian	The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506	21 Mar 201720:59	–	atlassian
Atlassian	The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506	30 Aug 201702:12	–	atlassian
Atlassian	The bundled Atlassian Activity Streams plugin had Improper Access control inside several rest inline action resource resource - CVE-2017-9506	21 Sep 201700:10	–	atlassian
Tenable Nessus	Atlassian Bamboo < 6.0.0 OAuth plugin allows arbitrary HTTP requests to be proxied	28 Jun 201800:00	–	nessus
Tenable Nessus	Atlassian Bitbucket < 4.14.4 OAuth Plugin IconUriServlet Internal Network Resource Disclosure CSRF	28 Jun 201800:00	–	nessus

NVD

Node

atlassian oauthMatch1.3.0

atlassian oauthMatch1.3.1

atlassian oauthMatch1.3.2

atlassian oauthMatch1.3.3

atlassian oauthMatch1.3.4

atlassian oauthMatch1.3.5

atlassian oauthMatch1.3.6

atlassian oauthMatch1.3.7

atlassian oauthMatch1.3.8

atlassian oauthMatch1.3.9

atlassian oauthMatch1.3.10

atlassian oauthMatch1.4.0

atlassian oauthMatch1.4.0m1

atlassian oauthMatch1.4.0m2

atlassian oauthMatch1.4.1

atlassian oauthMatch1.5.0

atlassian oauthMatch1.5.0m1

atlassian oauthMatch1.5.0m3

atlassian oauthMatch1.6.0

atlassian oauthMatch1.6.0m1

atlassian oauthMatch1.6.0m4

atlassian oauthMatch1.6.1

atlassian oauthMatch1.7.0

atlassian oauthMatch1.8.0

atlassian oauthMatch1.8.0m1

atlassian oauthMatch1.8.1

atlassian oauthMatch1.8.2

atlassian oauthMatch1.8.3

atlassian oauthMatch1.8.4

atlassian oauthMatch1.8.5

atlassian oauthMatch1.9.0

atlassian oauthMatch1.9.0m1

atlassian oauthMatch1.9.0m2

atlassian oauthMatch1.9.1

atlassian oauthMatch1.9.2

atlassian oauthMatch1.9.3

atlassian oauthMatch1.9.4

atlassian oauthMatch1.9.5

atlassian oauthMatch1.9.6

atlassian oauthMatch1.9.7

atlassian oauthMatch1.9.8

atlassian oauthMatch1.9.9

atlassian oauthMatch1.9.10

atlassian oauthMatch1.9.11

atlassian oauthMatch2.0.0

atlassian oauthMatch2.0.1

atlassian oauthMatch2.0.2

atlassian oauthMatch2.0.3

[
  {
    "product": "Atlassian OAuth Plugin",
    "vendor": "Atlassian",
    "versions": [
      {
        "status": "affected",
        "version": "From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4."
      }
    ]
  }
]

Source	Link
twitter	www.twitter.com/Zer0Security/status/983529439433777152
medium	www.medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
twitter	www.twitter.com/ankit_anubhav/status/973566620676382721
ecosystem	www.ecosystem.atlassian.net/browse/OAUTH-344
dontpanic	www.dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html

17 Jun 2026 01:28Current

5.6Medium risk

Vulners AI Score5.6

CVSS 24.3

CVSS 36.1

EPSS0.71601

SSVC

CWE-918

In Wild