SAML Single Sign On Security Advisories Current: 2019-07-11 Users are always re-enabled during login when updated 2019-07-11 Users are always re-enabled during login when updated SummaryMisleading UI can lead to a deactivated user being re enabled after a successful authorization by the Identity ProviderAdvisory Release Date2019/07/15ProductsSAML Single Sign On (SSO) for JIRASAML Single Sign On (SSO) for ConfluenceSAML Single Sign On (SSO) BitbucketSAML Single Sign On (SSO) for BambooAffected SAML SSO versions2.4.0-3.0.3 Bitbucket and Bamboo, 3.1.0 - 3.2.2 Jira and ConfluenceFixed SAML SSO versions3.3.0 for Jira, Confluence and Bitbucket, 2.5.4 for Bamboo(to be released)CVSS Score: Base Score / Temporal Score6.4 / 6.1CVSS Vector StringCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:CCVE Numberhttps://nvd.nist.gov/vuln/detail/CVE-2019-13347https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13347SummaryThis advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin Version 2.4.0-2.5.3 for Bitbucket and Bamboo, and 3.1.0 - 3.2.2 Jira and Confluence.Please upgrade your Installations to fix this vulnerability.Am I affected?You are only affected, if:the User Update Method is set to Update from SAML Attributesandyou deactivated the Reactivate inactive users option. In the default settings, Reactivate inactive users is always activated. Thus you are only affected if you change the default settings.DetailsThe SAML SSO plugin has an option to Reactivate inactive users. When enabled, locally disabled users are reactivated during login, even if the feature to update users with data provided by the IdP is disabled.When Reactivate inactive users is disabled, but the user update with data from the IdP is enabled, locally disabled users are reenabled. The UI is misleading here, the expected behaviour should be to keep locally disabled users disabled when Reactivate inactive users is not active.Since a user must first be authorized by the identity provider, this vulnerability has a rather low impact.What You Need to DoIf you need the ability to keep locally disabled users disabled while having user update enabled, upgrade to SAML Single Sign On (SSO) Version 3.3.0 (2.5.4 for Bamboo).If you need help with either if these courses of action, please raise a support request via our Support Portal. SupportIf you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.AcknowledgmentThanks to Lukas Braune of Siemens for reporting the bug.