mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-09-17 18:45:49 +00:00
372 lines
14 KiB
JSON
372 lines
14 KiB
JSON
{
|
|
"id": "CVE-2017-9506",
|
|
"sourceIdentifier": "security@atlassian.com",
|
|
"published": "2017-08-23T19:29:00.197",
|
|
"lastModified": "2019-05-10T15:22:38.517",
|
|
"vulnStatus": "Analyzed",
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF)."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "IconUriServlet del plugin Atlassian OAuth desde la versi\u00f3n 1.3.0 y antes de la versi\u00f3n 1.9.12, y desde la versi\u00f3n 2.0.0 antes de la versi\u00f3n 2.0.4 permite que atacantes remotos accedan al contenido de los recursos de red internos y/o realizar un ataque XSS mediante Server Side Request Forgery (SSRF)."
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV30": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.0",
|
|
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "REQUIRED",
|
|
"scope": "CHANGED",
|
|
"confidentialityImpact": "LOW",
|
|
"integrityImpact": "LOW",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 6.1,
|
|
"baseSeverity": "MEDIUM"
|
|
},
|
|
"exploitabilityScore": 2.8,
|
|
"impactScore": 2.7
|
|
}
|
|
],
|
|
"cvssMetricV2": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "2.0",
|
|
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
"accessVector": "NETWORK",
|
|
"accessComplexity": "MEDIUM",
|
|
"authentication": "NONE",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "PARTIAL",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 4.3
|
|
},
|
|
"baseSeverity": "MEDIUM",
|
|
"exploitabilityScore": 8.6,
|
|
"impactScore": 2.9,
|
|
"acInsufInfo": false,
|
|
"obtainAllPrivilege": false,
|
|
"obtainUserPrivilege": false,
|
|
"obtainOtherPrivilege": false,
|
|
"userInteractionRequired": true
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-918"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.0:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "6931470D-FCD0-4295-B526-72F9DC18F8D4"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.1:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "86DF4383-C75F-4C20-97AE-17024E59C85F"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.2:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "4CE7703F-28FA-49F3-B8F0-0EA19983534C"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.3:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "F1B1269B-D7F0-4AB9-A6A1-F5F09273C1E7"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.4:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "5F788273-7F50-4A5F-B194-9AF88AD5C83F"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.5:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "60D90C52-C6D4-4BA2-B16F-E24562AB35D1"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.6:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "74865E14-42E9-40C9-AA3E-33B00BCBAF90"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.7:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "7C4D0F79-ACD1-4356-BED4-F361D60633FA"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.8:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "59F8F976-DA00-4618-8E54-60D6133AAB55"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.9:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "E5826307-85F4-4C9D-A8C2-E736877F2487"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.3.10:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "7408A0CF-58FC-4FC5-8406-9624C059F480"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.4.0:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "6A3CB417-E229-4D0E-AAE1-6A1708332DAB"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.4.0:m1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "6B25D52D-C926-4CE2-8FD7-08211FB5156F"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.4.0:m2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "1B45678B-D690-455B-82FB-29B5E6C92D99"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.4.1:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "5890D37F-7C5E-484C-BA9F-B101EE407535"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.5.0:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "9F8F9EE5-680F-4E96-8266-61F5EAD57F36"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.5.0:m1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "C15E96B8-D920-43B9-A587-9A6ED4CADDA2"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.5.0:m3:*:*:*:*:*:*",
|
|
"matchCriteriaId": "68DC4126-C130-419F-8A1C-B50C4AB196F6"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.6.0:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "E8BECD3F-26FD-4FF4-AB68-6597766C5784"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.6.0:m1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "03914A93-B432-4AE1-94C1-23C23C22E07E"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.6.0:m4:*:*:*:*:*:*",
|
|
"matchCriteriaId": "441FE496-A2A8-478D-8AC0-6AE7210B8DFF"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.6.1:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "DF711A0D-7527-440D-9F54-32B2D550BFE8"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.7.0:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "DA6E4311-CDED-4D26-8258-0CA2106723C2"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.8.0:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "408339FF-21EB-44D8-BD26-E085AE83AC80"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.8.0:m1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "B60AA166-B682-4420-BC98-104A19E0F604"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.8.1:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "8278DDA7-4F73-4EDD-AA97-A1AB6806D6E5"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.8.2:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "09A9F674-3B94-4D3A-870E-F4488A00BDA3"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.8.3:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "D4088D76-BA49-422A-B80F-BC4C7656C28E"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.8.4:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "32804B74-92C4-4FAD-86D3-599108CC0E36"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.8.5:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "919EB181-8A1D-4BBC-A847-F6320480EDC2"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.0:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "88F98ECB-402C-404B-B22D-9E145CC568F0"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.0:m1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "9B6A21E5-78A2-4C70-9EA2-0C3463647B98"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.0:m2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "70DD87A9-806B-4D01-876B-AFCCF57052ED"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.1:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "DA83C8C5-6AA5-4560-8839-297DF9A676DA"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.2:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "964D45DE-7F4D-41C4-AD3E-D14FF2906632"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.3:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "8944539B-B073-4308-91FF-84437D7AE220"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.4:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "DC5AF81F-65A5-402A-9AFE-A414F969C1F7"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.5:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "844330C2-A2C6-433A-9C28-5012FDF81423"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.6:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "91E6952F-3742-4A9F-B6A3-E6469E1D3D6D"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.7:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "A638EEDC-AEF5-4496-A006-E860E7C59926"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.8:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "108C2E74-3300-47AD-940C-ADEF1613F380"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.9:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "07B479B9-4299-4F54-8E6D-6EE9E860B4FF"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.10:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "EDF046E0-0BAB-42D0-A7D2-4179EF6639EA"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:1.9.11:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "554DF85D-5B54-42EC-B86E-94449C592C7A"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:2.0.0:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "CFFCCA48-CC4A-4B97-A1E2-17D26D88C47C"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:2.0.1:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "5D4A72A1-F335-4E22-B798-69B122145411"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:2.0.2:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "42C01D71-0E47-48C1-A55B-7548AD0178A5"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:atlassian:oauth:2.0.3:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "F8466429-974C-4921-AE06-CE3DB2E6E48A"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html",
|
|
"source": "security@atlassian.com",
|
|
"tags": [
|
|
"Exploit",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://ecosystem.atlassian.net/browse/OAUTH-344",
|
|
"source": "security@atlassian.com",
|
|
"tags": [
|
|
"Issue Tracking",
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3",
|
|
"source": "security@atlassian.com",
|
|
"tags": [
|
|
"Broken Link",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://twitter.com/Zer0Security/status/983529439433777152",
|
|
"source": "security@atlassian.com",
|
|
"tags": [
|
|
"Exploit",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://twitter.com/ankit_anubhav/status/973566620676382721",
|
|
"source": "security@atlassian.com",
|
|
"tags": [
|
|
"Exploit",
|
|
"Third Party Advisory"
|
|
]
|
|
}
|
|
]
|
|
} |