Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
2021-07-29 Authentication Bypass: Network Attacker Can Login to Users’ Accounts when Usernames are Known
Updated Advisory 2021-08-12
The resolution team has released comprehensive security fixes for all SAML SSO plugins that address additional scenarios related to the vulnerability identified on July 27th.
Please update to the versions listed in this page even if you already updated to the prior fixes.
| Summary | Authentication Bypass from Network Attacker Can Log In to Users with Known Usernames |
|---|---|
| Advisory Release Date | 2021-07-29, new fix versions released on 2021-08-12 |
| Products | SAML Single Sign-On (SSO) for JIRA SAML Single Sign-On (SSO) for Confluence SAML Single Sign-On (SSO) Bitbucket |
| Affected SAML SSO versions | All app versions prior to the fixed versions |
| Fixed SAML SSO versions | 5.0.6, 4.0.13, 3.6.7 (Jira, Confluence, Bitbucket, Bamboo), 3.5.7 (Confluence), 3.5.0.2 (Bitbucket), 2.5.10 (Bitbucket, Bamboo, Fisheye), 2.0.14 (Jira, Confluence) |
| CVSS Score: Base Score / Temporal Score | Base 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Temporal 8.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
| CVE Number | CVE-2021-37843 |
Summary
This advisory discloses a critical severity security vulnerability affecting our SAML Single Sign-On Plugin in all past versions.
Please upgrade your installations to fix this vulnerability.
Details
The security vulnerability has been made known to us via disclosure from a researcher. To our knowledge, this is currently not otherwise known or widely exploited.
Due to the severe nature of this vulnerability, we will not currently provide detailed information that may increase the risk of it being exploited. We will first allow a time window that customers should utilize to upgrade to the fixed versions.
For the vulnerability fixed on 2021-07-29, there is an imperfect way to detect whether this vulnerability was exploited on your instance. For information on how to do this, please contact us with your valid, non-evaluation app SEN via our Support Portal . For the additional fix released on 2021-08-12, there is unfortunately no easy way to detect if it was exploited.
What You Need to Do
In general, please update the SAML SSO app to the latest versions. For information about how to update your apps, please refer to Atlassian's documentation on the topic
If you cannot update the app, the only way to get rid of this vulnerability is to disable the app. Note that this will result in loss of Single Sign-On capability for all users on the effected system.
You might be able to mitigate the impact by restricting access to the product from the internet to only your known users using an internal VPN or a similarly private network. Note that this requires you to trust your users not to exploit this vulnerability.
The updated versions of the app make the fix available for all currently supported versions of the Atlassian host products (Jira, Confluence, Bitbucket, Bamboo, Fisheye/Crucible). If you require a fixed app version for unsupported Atlassian host products that do not work with one of the provided versions, please raise a support request via our Support Portal.
If you need help with either of these courses of action, please raise a support request via our Support Portal.
Support
If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.
Fixed App Versions by Host Product Versions
This table denotes which host product versions are compatible with which app versions (Atlassian Application → SAML SSO app version).
Jira
- 7.0.4 - 7.9.2 → 2.0.14
7.3.0 - 8.14.1 → 3.6.7
7.13.0 - 8.17.0 → 4.0.13
8.3.0 - 8.18.1 → 5.0.6
Confluence
- 5.10.0 - 6.8.5 → 2.0.14
- 6.3.0 - 7.5.2 → 3.5.7
6.8.0 - 7.8.3 → 3.6.7
6.13.0 - 7.12.3 → 4.0.13
7.0.1 - 7.12.3 → 5.0.6
Bitbucket
5.5.0 - 6.10.2 → 2.5.10
5.12.4 - 7.15.0 → 3.6.7
6.0.0 - 7.15.0 → 4.0.13
6.4.0 - 7.15.0 → 5.0.6
Bamboo
5.12.0.2 - 6.10.6 → 2.5.10
6.6.0 - 7.1.4 → 3.6.7
6.8.0 - 7.2.5 → 4.0.13
6.10.2 - 7.2.5 → 5.0.6
Fisheye/Crucible
4.2.0 - 4.8.7 → 2.5.10
For example, if you use Bamboo 6.6.0 with SAML SSO app version 2.5.5, you can update to 2.5.10 or 3.6.7