CVE-2017-18096

CVSS V2 Medium 4 CVSS V3 High 7.2
Description
The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location's OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.
Overview
  • CVE ID
  • CVE-2017-18096
  • Assigner
  • security@atlassian.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2018-04-04T12:29:00
  • Last Modified Date
  • 2018-05-10T13:02:24
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:* 1 OR 5.2.7
cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:* 1 OR 5.3.0 5.3.4
cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:* 1 OR 5.4.0 5.4.3
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:S/C:P/I:N/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • SINGLE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 4
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.0
  • Vector String
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • HIGH
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 7.2
  • Base Severity
  • HIGH
  • Exploitability Score
  • 1.2
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://ecosystem.atlassian.net/browse/APL-1359 Vendor Advisory
History
Created Old Value New Value Data Type Notes
2022-05-10 18:43:52 Added to TrackCVE
2022-12-03 04:19:44 2018-04-04T12:29Z 2018-04-04T12:29:00 CVE Published Date updated
2022-12-03 04:19:44 2018-05-10T13:02:24 CVE Modified Date updated
2022-12-03 04:19:44 Analyzed Vulnerability Status updated