Summary

This advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin Version 2.4.0-2.5.3 for Bitbucket and Bamboo, and 3.1.0 - 3.2.2 Jira and Confluence.

Please upgrade your Installations to fix this vulnerability.

Am I affected?

You are only affected, if:

• the User Update Method is set to Update from SAML Attributes
  
  and
  
  
• you deactivated the Reactivate inactive users option. 

In the default settings, Reactivate inactive users is always activated. Thus you are only affected if you change the default settings.

Details

The SAML SSO plugin has an option to Reactivate inactive users. When enabled, locally disabled users are reactivated during login, even if the feature to update users with data provided by the IdP is disabled.

When Reactivate inactive users is disabled, but the user update with data from the IdP is enabled, locally disabled users are reenabled. The UI is misleading here, the expected behaviour should be to keep locally disabled users disabled when Reactivate inactive users is not active.

Since a user must first be authorized by the identity provider, this vulnerability has a rather low impact.

What You Need to Do

If you need the ability to keep locally disabled users disabled while having user update enabled, upgrade to SAML Single Sign On (SSO) Version 3.3.0 (2.5.4 for Bamboo).

If you need help with either if these courses of action, please raise a support request via our Support Portal. 

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.

Acknowledgment

Thanks to Lukas Braune of Siemens for reporting the bug.