Summary

Misleading UI can lead to a deactivated user being re enabled after a successful authorization by the Identity Provider

Advisory Release Date

2019/07/15


Products

SAML Single Sign On (SSO) for JIRA

SAML Single Sign On (SSO) for Confluence

SAML Single Sign On (SSO) Bitbucket

SAML Single Sign On (SSO) for Bamboo

Affected SAML SSO versions

2.4.0-3.0.3 Bitbucket and Bamboo, 3.1.0 - 3.2.2 Jira and Confluence

Fixed SAML SSO versions

3.3.0 for Jira, Confluence and Bitbucket, 2.5.4 for Bamboo(to be released)

CVSS Score: Base Score / Temporal Score6.4 / 6.1
CVSS Vector StringCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C
CVE Number

https://nvd.nist.gov/vuln/detail/CVE-2019-13347

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13347


Summary

This advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin Version 2.4.0-2.5.3 for Bitbucket and Bamboo, and 3.1.0 - 3.2.2 Jira and Confluence.

Please upgrade your Installations to fix this vulnerability.

Am I affected?

You are only affected, if:

  • the User Update Method is set to Update from SAML Attributes

    and

  • you deactivated the Reactivate inactive users option. 


In the default settings, Reactivate inactive users is always activated. Thus you are only affected if you change the default settings.

Details

The SAML SSO plugin has an option to Reactivate inactive users. When enabled, locally disabled users are reactivated during login, even if the feature to update users with data provided by the IdP is disabled.

When Reactivate inactive users is disabled, but the user update with data from the IdP is enabled, locally disabled users are reenabled. The UI is misleading here, the expected behaviour should be to keep locally disabled users disabled when Reactivate inactive users is not active.

Since a user must first be authorized by the identity provider, this vulnerability has a rather low impact.

What You Need to Do

If you need the ability to keep locally disabled users disabled while having user update enabled, upgrade to SAML Single Sign On (SSO) Version 3.3.0 (2.5.4 for Bamboo).

If you need help with either if these courses of action, please raise a support request via our Support Portal

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.

Acknowledgment

Thanks to Lukas Braune of Siemens for reporting the bug.