Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
2019-07-11 Users are always re-enabled during login when updated
| Summary | Misleading UI can lead to a deactivated user being re enabled after a successful authorization by the Identity Provider |
|---|---|
| Advisory Release Date | 2019/07/15 |
| Products | SAML Single Sign On (SSO) for JIRA SAML Single Sign On (SSO) for Confluence |
| Affected SAML SSO versions | 2.4.0-3.0.3 Bitbucket and Bamboo, 3.1.0 - 3.2.2 Jira and Confluence |
| Fixed SAML SSO versions | 3.3.0 for Jira, Confluence and Bitbucket, 2.5.4 for Bamboo(to be released) |
| CVSS Score: Base Score / Temporal Score | 6.4 / 6.1 |
| CVSS Vector String | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C |
| CVE Number | https://nvd.nist.gov/vuln/detail/CVE-2019-13347 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13347 |
Summary
This advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin Version 2.4.0-2.5.3 for Bitbucket and Bamboo, and 3.1.0 - 3.2.2 Jira and Confluence.
Please upgrade your Installations to fix this vulnerability.
Am I affected?
You are only affected, if:
- the User Update Method is set to Update from SAML Attributes
and - you deactivated the Reactivate inactive users option.
In the default settings, Reactivate inactive users is always activated. Thus you are only affected if you change the default settings.
Details
The SAML SSO plugin has an option to Reactivate inactive users. When enabled, locally disabled users are reactivated during login, even if the feature to update users with data provided by the IdP is disabled.
When Reactivate inactive users is disabled, but the user update with data from the IdP is enabled, locally disabled users are reenabled. The UI is misleading here, the expected behaviour should be to keep locally disabled users disabled when Reactivate inactive users is not active.
Since a user must first be authorized by the identity provider, this vulnerability has a rather low impact.
What You Need to Do
If you need the ability to keep locally disabled users disabled while having user update enabled, upgrade to SAML Single Sign On (SSO) Version 3.3.0 (2.5.4 for Bamboo).
If you need help with either if these courses of action, please raise a support request via our Support Portal.
Support
If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.
Acknowledgment
Thanks to Lukas Braune of Siemens for reporting the bug.