SAML Single Sign On Security Advisories Current: 2021-07-29 Authentication Bypass: Network Attacker Can Login to Users’ Accounts when Usernames are Known 2021-07-29 Authentication Bypass: Network Attacker Can Login to Users’ Accounts when Usernames are Known Updated Advisory 2021-08-12 The resolution team has released comprehensive security fixes for all SAML SSO plugins that address additional scenarios related to the vulnerability identified on July 27th.Please update to the versions listed in this page even if you already updated to the prior fixes. SummaryAuthentication Bypass from Network Attacker Can Log In to Users with Known UsernamesAdvisory Release Date2021-07-29, new fix versions released on 2021-08-12ProductsSAML Single Sign-On (SSO) for JIRASAML Single Sign-On (SSO) for ConfluenceSAML Single Sign-On (SSO) BitbucketSAML Single Sign-On (SSO) for BambooSAML Single Sign-On (SSO) for FisheyeAffected SAML SSO versionsAll app versions prior to the fixed versionsFixed SAML SSO versions5.0.6, 4.0.13, 3.6.7 (Jira, Confluence, Bitbucket, Bamboo), 3.5.7 (Confluence), 3.5.0.2 (Bitbucket), 2.5.10 (Bitbucket, Bamboo, Fisheye), 2.0.14 (Jira, Confluence)CVSS Score: Base Score / Temporal ScoreBase 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTemporal 8.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCVE NumberCVE-2021-37843SummaryThis advisory discloses a critical severity security vulnerability affecting our SAML Single Sign-On Plugin in all past versions.Please upgrade your installations to fix this vulnerability.DetailsThe security vulnerability has been made known to us via disclosure from a researcher. To our knowledge, this is currently not otherwise known or widely exploited.Due to the severe nature of this vulnerability, we will not currently provide detailed information that may increase the risk of it being exploited. We will first allow a time window that customers should utilize to upgrade to the fixed versions.For the vulnerability fixed on 2021-07-29, there is an imperfect way to detect whether this vulnerability was exploited on your instance. For information on how to do this, please contact us with your valid, non-evaluation app SEN via our Support Portal . For the additional fix released on 2021-08-12, there is unfortunately no easy way to detect if it was exploited.What You Need to DoIn general, please update the SAML SSO app to the latest versions. For information about how to update your apps, please refer to Atlassian's documentation on the topicIf you cannot update the app, the only way to get rid of this vulnerability is to disable the app. Note that this will result in loss of Single Sign-On capability for all users on the effected system.You might be able to mitigate the impact by restricting access to the product from the internet to only your known users using an internal VPN or a similarly private network. Note that this requires you to trust your users not to exploit this vulnerability.The updated versions of the app make the fix available for all currently supported versions of the Atlassian host products (Jira, Confluence, Bitbucket, Bamboo, Fisheye/Crucible). If you require a fixed app version for unsupported Atlassian host products that do not work with one of the provided versions, please raise a support request via our Support Portal. If you need help with either of these courses of action, please raise a support request via our Support Portal. SupportIf you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.Fixed App Versions by Host Product VersionsThis table denotes which host product versions are compatible with which app versions (Atlassian Application → SAML SSO app version). Jira7.0.4 - 7.9.2 → 2.0.147.3.0 - 8.14.1 → 3.6.77.13.0 - 8.17.0 → 4.0.138.3.0 - 8.18.1 → 5.0.6Confluence5.10.0 - 6.8.5 → 2.0.146.3.0 - 7.5.2 → 3.5.76.8.0 - 7.8.3 → 3.6.76.13.0 - 7.12.3 → 4.0.137.0.1 - 7.12.3 → 5.0.6Bitbucket5.5.0 - 6.10.2 → 2.5.105.12.4 - 7.15.0 → 3.6.76.0.0 - 7.15.0 → 4.0.136.4.0 - 7.15.0 → 5.0.6Bamboo5.12.0.2 - 6.10.6 → 2.5.106.6.0 - 7.1.4 → 3.6.76.8.0 - 7.2.5 → 4.0.136.10.2 - 7.2.5 → 5.0.6Fisheye/Crucible4.2.0 - 4.8.7 → 2.5.10For example, if you use Bamboo 6.6.0 with SAML SSO app version 2.5.5, you can update to 2.5.10 or 3.6.7 SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products. Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.