CVE-2017-18096

7.2HIGH

Key Information:

Vendor: Atlassian
Status: Atlassian Application Links
Vendor: CVE Published:; 4 April 2018

Summary

The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location's OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.

Affected Version(s)

Atlassian Application Links < 5.2.7

Atlassian Application Links 5.3.0

Atlassian Application Links < 5.3.4

References

https://ecosystem.atlassian.net/browse/APL-1359

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 4, 2018
Vulnerability Reserved
Feb 1, 2018