Server Side Request Forgery Vulnerability in Atlassian Application Links
CVE-2017-18096

7.2HIGH

Key Information:

Vendor: Atlassian
Status: Atlassian Application Links
Vendor: CVE Published:; 4 April 2018

Summary

The OAuth status REST resource in Atlassian Application Links prior to version 5.2.7, as well as select versions in the 5.3.x and 5.4.x series, is affected by a security vulnerability that allows remote attackers with administrative privileges to exploit Server Side Request Forgery. By establishing an OAuth application link to a malicious location, attackers can redirect requests to an internal network location, potentially exposing sensitive information. In environments such as Amazon EC2, this could be leveraged to access metadata resources containing access credentials and other confidential data.

Affected Version(s)

Atlassian Application Links < 5.2.7

Atlassian Application Links 5.3.0

Atlassian Application Links < 5.3.4

References

https://ecosystem.atlassian.net/browse/APL-1359

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 4, 2018
Vulnerability Reserved
Feb 1, 2018