CVE-2017-9506

MEDIUM EXPLOITED IN THE WILD NUCLEI

Atlassian OAuth Plugin <1.9.12, <2.0.4 - SSRF/XSS

Title source: llm

Exploitation Summary

CVE-2017-9506 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 4 public exploits from researchers including random-robbie, Pr0t0c01, labsbots. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script that scans multiple Jira instances for CVE-2017-9506, an SSRF vulnerability in the Atlassian OAuth Plugin. The script checks for the presence of a specific response pattern to determine vulnerability.

Description

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).

Exploits (4)

nomisec SCANNER 190 stars

by random-robbie · infoleak

https://github.com/random-robbie/Jira-Scan

View Code ZIP pw:eip

This repository contains a Python script that scans multiple Jira instances for CVE-2017-9506, an SSRF vulnerability in the Atlassian OAuth Plugin. The script checks for the presence of a specific response pattern to determine vulnerability.

Classification

Scanner 95%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira < 7.3.5

No auth needed

Prerequisites: List of target domains in a file named 'list.txt'

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github SCANNER 2 stars

by Pr0t0c01 · pythonpoc

https://github.com/Pr0t0c01/CVEs/tree/main/JIRA_CVE-2017-9506

View Code ZIP pw:eip

The repository provides a Nuclei template for scanning JIRA instances vulnerable to CVE-2017-9506, an SSRF vulnerability. It includes a Google dork for identifying potential targets but lacks actual exploit code.

Classification

Scanner 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Atlassian JIRA

No auth needed

Prerequisites: Nuclei installed · target list

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec SCANNER

by labsbots · client-side

https://github.com/labsbots/CVE-2017-9506

View Code ZIP pw:eip

The repository contains a Python script that scans for Jira instances vulnerable to CVE-2017-9506, an SSRF and XSS vulnerability in the Atlassian OAuth Plugin. The script uses the Shodan API to find potential targets and checks for the presence of the vulnerable endpoint.

Classification

Scanner 90%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Atlassian Jira with OAuth Plugin versions 1.3.0 to 1.9.11 and 2.0.0 to 2.0.3

No auth needed

Prerequisites: Shodan API key · Network access to target Jira instances

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by pwn1sher · client-side

https://github.com/pwn1sher/jira-ssrf

View Code ZIP pw:eip

This PoC exploits CVE-2017-9506, an SSRF vulnerability in Atlassian OAuth Plugin, allowing attackers to access internal network resources via the IconUriServlet. The script checks for vulnerability by sending a crafted request to the target and verifying the response.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Atlassian OAuth Plugin versions 1.3.0-1.9.11 and 2.0.0-2.0.3

No auth needed

Prerequisites: Network access to the target Jira instance · Target must have the vulnerable OAuth Plugin version installed

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery

MEDIUMby pdteam

Shodan: http.component:"Atlassian Jira" || http.component:"atlassian jira"

References (5)

Core 5

Core References

Exploit, Third Party Advisory x_refsource_misc

http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html

Exploit, Third Party Advisory x_refsource_misc

https://twitter.com/ankit_anubhav/status/973566620676382721

Issue Tracking, Vendor Advisory x_refsource_misc

https://ecosystem.atlassian.net/browse/OAUTH-344

Exploit, Third Party Advisory x_refsource_misc

https://twitter.com/Zer0Security/status/983529439433777152

Broken Link, Third Party Advisory x_refsource_misc

https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3

Scores

CVSS v3 6.1

EPSS 0.3700

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2024-09-19

InTheWild.io 2021-10-14

CWE

CWE-918

Status published

Products (40)

Atlassian/Atlassian OAuth Plugin From version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4.

atlassian/oauth 1.3.0

atlassian/oauth 1.3.1

atlassian/oauth 1.3.2

atlassian/oauth 1.3.3

atlassian/oauth 1.3.4

atlassian/oauth 1.3.5

atlassian/oauth 1.3.6

atlassian/oauth 1.3.7

atlassian/oauth 1.3.8

... and 30 more

Published Aug 23, 2017

Tracked Since Feb 18, 2026