XSS Vulnerability on Logged Out Page
|Advisory Release Date||
|Affected SAML SSO versions||
2.1.0 - 2.4.7 & 3.0.x
|Fixed SAML SSO versions||
The vulnerability has been fixed for versions 2.4.8 and 3.1.0 of the plugin.
A workaround exists for all affected versions.
|CVSS 3.0 Vector String||CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C|
|CVSS 3.0 Score||6.1 (Base), 5.5 (Temporal) → Medium|
Summary of Vulnerability
This advisory discloses a medium severity XSS-based security vulnerability affecting SAML Single Sign On Plugin Version 2.1.0 until 2.4.7 including, as well as all versions 3.0.x. Versions 0.15.x, 2.0.x, 3.1.x and higher are not affected.
Please upgrade your Installations immediately to fix this vulnerability.
What You Need to Do
Upgrade to SAML Single Sign On (SSO) Version 2.4.8 or 3.1.0 or higher OR apply the documented workaround.
If you need help with either if these courses of action, please raise a support request via our Support Portal.
If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.
If you are unable to upgrade to a recent version at this point in time, you can alternatively apply the following workaround:
- Visit our addon's configuration page at https://yourjira/plugins/servlet/samlsso/admin . Authenticate if necessary.
- Open the tab "Page Templates" and find the entry called "Logged Out Page Template"
In the default template, look for the lines
#if($loginurl) <p> <a href="$loginurl">Login with username and password</a> </p> #end
- Depending on your situation, do one of the following:
- If you did not find the snippet or any other references to $loginurl because you already forbid login without SSO, you are not vulnerable
- If you are not using logout redirection, simply remove the code from the template.
- If you are okay with losing the link to username/password login on the logged out page, simply remove the code from the template.
- If you want to retain the link to username/password login on the logged out page, you can hard-code the actual URL.
- Determine the actual login page URL from the table on Cannot access JIRA/Confluence/Bitbucket/Bamboo/Fisheye-Crucible anymore - Bypass SSO
In the page template, replace the snippet above with the following
<p> <a href="YOUR_NOSSO_LOGIN_URL">Login with username and password</a> </p>
Do not forget to Save the modified config.
- (Optional) Test your changes by visiting one of the URLs listed in the "Attack Scenario" section.
To exploit the following prerequisites must be met:
- The SAML Single Sign On addon is installed in a vulnerable version
- The Logged Out Page Template setting contains a link to $loginurl (default setting)
- The attacker can manipulate a victim to visit a prepared link
Sample crafted Proof-of-Concept URLs: