This old OAuth plugin vulnerability still leaves several major companies open to attack
Last year, security researchers from the software company 42 disclosed a flaw in the Atlassian OAuth plugin that could enable unauthorized execution of HTTP GET requests from the server. Although the vulnerability was fixed sometime in 2017, it continues to pose a threat to major firms that have failed to update the software.
Security researcher Robbie Wiggins said the vulnerable plugin can be found in software like Jira and Confluence, SDTimes reported. If hosted on AWS, it can retrieve metadata or even IAM role AWS keys. He noted that hackers could potentially grab the root password or token, depending on the software setup.
The vulnerability, CVE-2017-9506,affects the IconUriServerlet of the Atlassian OAuth plugin from version 1.3.0 to 1.9.12 and from version 2.0.0 to 2.0.4.
By exploiting this vulnerability, attackers could remotely access the content of internal network resources orperform a Cross-Site Scripting (XSS) attack via Server Side Request Forgery (SSRF). Additionally, this vulnerability could be used to steal login credentials by accessing a spoofed login page with a valid TLS connection. This can also be used to spread malicious content via a trusted but compromised domain.
“This vulnerability is not new and was fixed in March 2017,” a spokesperson from Atlassian told SDTimes. “As always, we recommend that our customers upgrade to the most recent version of our server products to ensure they have the latest features and fixes. In this case, it’s especially important for those customers who host Atlassian server products on AWS cloud instances.
“This vulnerability does not impact customers using cloud versions of Atlassian products, those who upgraded server versions, and those that do not host server versions on AWS cloud. We encourage security researchers to submit vulnerabilities to our public bug bounty program.”