CVE-2017-9506

CVE Database · CVE-2017-9506

CVE-2017-9506

· N/AModified

CVSS v3.1

N/A

EPSS

36.99%

Published

Aug 23, 2017

Modified

May 12, 2026

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).

Weaknesses (CWE)

CWE-918

Affected Products (48)

atlassian · oauthvulnerable

References (10)

http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html

ExploitThird Party Advisory

https://ecosystem.atlassian.net/browse/OAUTH-344

Issue TrackingVendor Advisory

https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3

Broken LinkThird Party Advisory

https://twitter.com/Zer0Security/status/983529439433777152

ExploitThird Party Advisory

https://twitter.com/ankit_anubhav/status/973566620676382721

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs

atlassian · oauthvulnerable