-
Bug
-
Resolution: Fixed
-
Medium (View bug fix roadmap)
-
7.2.0
-
7.02
-
Severity 2 - Major
-
- The version of the bundled Atlassian OAuth plugin was vulnerable to Server Side Request Forgery (SSRF). This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344 . When running in an environment like Amazon EC2, this flaw can used to access to a metadata resource that provides access credentials and other potentially confidential information.
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
![[Ecosystem JIRA] Bug - A problem which impairs or prevents the functions of the product.](https://ecosystem.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/15303?size=medium "[Ecosystem JIRA] Bug - A problem which impairs or prevents the functions of the product."){kind=small}
[JRASERVER-65862] The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506
What is the Jira version compatibility with the 2.0.4 plugin? Can this be manually downloaded and installed to 7.1.6 until we are ready to upgrade JIRA?
DS Labs
added a comment - Thanks Andriy! It helped. Hi ds.labs2015
Please let me help you with your question:
are versions less than 7.2.0 also affected like, 5.0.2 & 6.4.14?
We don't support those versions anymore, so we didn't do formal check.
That being said, I did some extra investigation. Based on the description from bug - OAUTH-286
affected version atlassian-oauth-service-provider-plugin-x.y.z.jar starts from 1.3.0
Jira 6.4.14 is shipped with atlassian-oauth-service-provider-plugin-1.9.8.jar, so that means it's affected.
For other versions, you can run check yourself to verify if it's affected.
- check URL: <JIRA>/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
Hope this answers your question.
Cheers.
DS Labs
added a comment - Hi Ronnie,
I have a query, can you please help me with the answer.
i) I can see that vulnerability got fixed in 7.2.15 & 7.3.5, are versions less than 7.2.0 also affected like, 5.0.2 & 6.4.14?
DS Labs
added a comment - Hi Ronnie,
I have a query, can you please help me with the answer.
i) I can see that vulnerability got fixed in 7.2.15 & 7.3.5, are versions less than 7.2.0 also affected like, 5.0.2 & 6.4.14? Workaround for 7.2.x
Download the 2.0.4 oAuth plugin:
https://packages.atlassian.com/maven-public-legacy/com/atlassian/oauth/atlassian-oauth-service-provider-plugin/2.0.4/atlassian-oauth-service-provider-plugin-2.0.4.jar
- Manually upload the add-on via the instructions in https://confluence.atlassian.com/upm/updating-add-ons-273875710.html
- restart JIRA
CVSS v3 score: 6.1 => Medium severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
Scope Metric
| Scope | Changed |
|---|
Impact Metrics
| Confidentiality | Low |
|---|---|
| Integrity | Low |
| Availability | None |
Atlassian support confirmed to me that 2.0.4 can be installed at least as far back as Jira 6.2.5.Scratch that, installing on 6.2.5 causes the plugin to fail to load and the Jira restart locks Jira completely because the OAuth Service Provider is a required plugin.