SAML Single Sign On Security Advisories Current: 2019-02-12 XSS Vulnerability on Logged Out Page 2019-02-12 XSS Vulnerability on Logged Out Page SummaryXSS Vulnerability on Logged Out PageAdvisory Release Date2019/02/12ProductsSAML Single Sign On (SSO) for JIRASAML Single Sign On (SSO) for ConfluenceSAML Single Sign On (SSO) for BitbucketSAML Single Sign On (SSO) for BambooSAML Single Sign On (SSO) for FisheyeAffected SAML SSO versions2.1.0 - 2.4.7 & 3.0.xFixed SAML SSO versionsThe vulnerability has been fixed for versions 2.4.8 and 3.1.0 of the plugin.A workaround exists for all affected versions.CVSS 3.0 Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:CCVSS 3.0 Score6.1 (Base), 5.5 (Temporal) → MediumSummary of VulnerabilityThis advisory discloses a medium severity XSS-based security vulnerability affecting SAML Single Sign On Plugin Version 2.1.0 until 2.4.7 including, as well as all versions 3.0.x. Versions 0.15.x, 2.0.x, 3.1.x and higher are not affected. Please upgrade your Installations immediately to fix this vulnerability.What You Need to DoUpgrade to SAML Single Sign On (SSO) Version 2.4.8 or 3.1.0 or higher OR apply the documented workaround.If you need help with either if these courses of action, please raise a support request via our Support Portal. SupportIf you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.WorkaroundIf you are unable to upgrade to a recent version at this point in time, you can alternatively apply the following workaround:Visit our addon's configuration page at https://yourjira/plugins/servlet/samlsso/admin . Authenticate if necessary.Open the tab "Page Templates" and find the entry called "Logged Out Page Template"In the default template, look for the lines #if($loginurl) <p> <a href="$loginurl">Login with username and password</a> </p> #end CODE Depending on your situation, do one of the following:If you did not find the snippet or any other references to $loginurl because you already forbid login without SSO, you are not vulnerableIf you are not using logout redirection, simply remove the code from the template.If you are okay with losing the link to username/password login on the logged out page, simply remove the code from the template.If you want to retain the link to username/password login on the logged out page, you can hard-code the actual URL.Determine the actual login page URL from the table on Cannot access Jira / Confluence/ Bitbucket/ Bamboo/ Fisheye-Crucible anymore - Bypass SSOIn the page template, replace the snippet above with the following <p> <a href="YOUR_NOSSO_LOGIN_URL">Login with username and password</a> </p> CODE Do not forget to Save the modified config.(Optional) Test your changes by visiting one of the URLs listed in the "Attack Scenario" section.DetailsPrerequisitesTo exploit the following prerequisites must be met:The SAML Single Sign On addon is installed in a vulnerable versionThe Logged Out Page Template setting contains a link to $loginurl (default setting)The attacker can manipulate a victim to visit a prepared link Attack scenarioIt is possible to set the "loginurl" query parameter of the logged out page (accessible via https://yourjira/plugins/servlet/samlsso/loggedoutpage ) to an arbitrary URL or Javascript code. The user still has to open the crafted link they received from the attacker and then click the "Login with username and password" link.Once that link is clicked, the user will be redirected to the page given by the attacker or execute the injected Javascript code. The attacker could set up a page resembling the Atlassian app's login page, into which users may enter their credentials. These could then be stolen.The user's current session is most likely safe (since the JSESSIONID cookie is set to be httpOnly and can therefore not be accessed via the Javascript context).Sample crafted Proof-of-Concept URLs:https://yourjira/plugins/servlet/samlsso/loggedoutpage?loginurl=http://www.google.com https://yourjira/plugins/servlet/samlsso/loggedoutpage?loginurl=javascript:alert(1)