SAML Single Sign On Security Advisories Current: 2019-09-09 Host-Header Injection 2019-09-09 Host-Header Injection SummaryHost-Header injection possible with recent SAML SSO versionsAdvisory Release Date2019/09/09ProductsSAML Single Sign On (SSO) for JIRASAML Single Sign On (SSO) for ConfluenceSAML Single Sign On (SSO) BitbucketSAML Single Sign On (SSO) for BambooSAML Single Sign On (SSO) for FisheyeAffected SAML SSO versions2.0.8 - 3.3.2Fixed SAML SSO versions3.4.0 for Jira, Confluence and Bitbucket; 2.5.5 for Bamboo/FisheyeCVSS Score: Base Score / Temporal Score5.3SummaryThis advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin since Version 2.0.8.Please upgrade your Installations to fix this vulnerability. Please be aware that enabling Alternate AssertionConsumerServiceURL in SAML-Request could keep your system vulnerable.DetailsThe Atlassian APIs provide methods to detect the applications absolute base-URL (e.g. https://your.jira.example.com/jira). These methods rely on the request's host-header. Older versions of SAML Single Sign On use that information to generate several URLs, including the AssertionConsumerServiceURL in the SAML-requests. By overriding the Host-header, an attacker could potentially change these values to redirect users to a malicous server. Fixed versions are using relative URLs or the application's configured base URL when generating URLs. Please be aware that there is on excemption to this when enabling Alternate AssertionConsumerServiceURL in SAML-Request.In a scenario of several hosted web apps or websites on the same ip address, the web server uses the host header to decide where to send the HTTP request to. If an attacker is able to modify the host header, the user is redirected to the host as specified by the attacker.Fortunately, attack vectors are rather limited, altering the host header is not easy. Two attack vectors areWeb-cache poisoning (An attacker needs to modify a caching mechanism between your Atlassian product and the user. The cache then serves the malicious host and the victim is redirected to it.)Password Reset Poisoning (An attacker sends a password reset email to the victim with a malicious host, thus the victim will be redirected to the attacker's side and needs to enter their password. In consequence, the attacker gains knowledge of the password).Please see https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/ for further information.What You Need to DoIn general, please update the SAML SSO plugins to the latest versions, especially for versions 2.0.8 to 2.5.0 and 3.0.0 to 3.1.5 of the SAML SSO plugin.For versions 2.5.1 to 2.5.4 and 3.1.6 to 3.3.1, one important attack vector was closed, but please also considering updating the plugin.If you cannot update the plugin, configure your reverse proxy to prevent cache poisoning with alternative host headers, e.g. by deactivating caching at all or by not using the Atlassian app as the default backend. Please note, that this does not close all attack vectors.If you need help with either if these courses of action, please raise a support request via our Support Portal. SupportIf you have questions or concerns regarding this advisory, please raise a support request via our Support Portal. SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products. Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.