Atlassian OAuth Plugin IconUriServlet SSRF
Description
The IconUriServlet component in Atlassian OAuth Plugin versions 1.3.0 through 1.9.11 and 2.0.0 through 2.0.3 contains a Server Side Request Forgery (SSRF) vulnerability. This flaw allows unauthenticated remote attackers to make the server perform HTTP requests to arbitrary internal or external URLs. Attackers can exploit this to access internal network resources, retrieve sensitive metadata from cloud environments (such as AWS EC2 instance credentials), or execute cross-site scripting (XSS) attacks by manipulating the response content.
Remediation
Immediately upgrade the Atlassian OAuth Plugin to a patched version by updating your Atlassian product to the following minimum versions or later:
- Bamboo: Upgrade to version 6.0.0 or higher
- Confluence: Upgrade to version 6.1.3 or higher
- Jira: Upgrade to version 7.3.5 or higher
- Bitbucket: Upgrade to version 4.14.4 or higher
- Crowd: Upgrade to version 2.11.2 or higher
- Crucible & Fisheye: Upgrade to version 4.3.2 or higher
After upgrading, verify the patch is effective by checking the OAuth Plugin version in your application's plugin manager. As an interim mitigation, if immediate patching is not possible, consider implementing network-level controls to restrict outbound HTTP requests from the application server to only necessary external destinations, and block access to cloud metadata endpoints (e.g., 169.254.169.254) at the firewall level.