漏洞描述
【漏洞对象】Jira 【涉及版本】Jira < 7.3.5 【漏洞描述】从1.9.12版之前的1.3.0版和2.0.4版之前的2.0.0版开始,AtlassianOAuth插件的IconUriServlet允许远程攻击者通过服务器端请求访问内部网络资源的内容和/或执行XSS攻击伪造(SSRF)通过构造consumerUri参数即可访问内网资源
Jira Atlassian OAuth插件存在SSRF漏洞(CVE-2017-9506)
PoC代码
暂无相关漏洞推荐
- POC CVE-2017-5983: JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
- OAuth2-Proxy 需授权 中和不当漏洞
- Atlassian Jira Software Data Center And Server 需授权 路径遍历漏洞
- CVE-2019-3396: Atlassian Confluence Path Traversal
- Atlassian Confluence /json/setup-restore.action 文件上传漏洞(CVE-2023-22518)
- POC CVE-2015-8399: Atlassian Confluence <5.8.17 - Information Disclosure
- POC CVE-2016-4977: Spring Security OAuth2 Remote Command Execution
- POC CVE-2017-9506: Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery
- POC CVE-2018-20824: Atlassian Jira WallboardServlet <7.13.1 - Cross-Site Scripting
- POC CVE-2018-5230: Atlassian Jira Confluence - Cross-Site Scripting
- POC CVE-2019-11580: Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution
- POC CVE-2019-11581: Atlassian Jira Server-Side Template Injection
- POC CVE-2019-3396: Atlassian Confluence Server - Path Traversal