Lucene search

K
cve[email protected]CVE-2019-13347
HistoryDec 13, 2019 - 1:15 p.m.

CVE-2019-13347

2019-12-1313:15:11
web.nvd.nist.gov
26
cve-2019-13347
saml
single sign on
sso
atlassian
jira
confluence
bitbucket
bamboo
vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

6 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

41.5%

An issue was discovered in the SAML Single Sign On (SSO) plugin for several Atlassian products affecting versions 3.1.0 through 3.2.2 for Jira and Confluence, versions 2.4.0 through 3.0.3 for Bitbucket, and versions 2.4.0 through 2.5.2 for Bamboo. It allows locally disabled users to reactivate their accounts just by browsing the affected Jira/Confluence/Bitbucket/Bamboo instance, even when the applicable configuration option of the plugin has been disabled (“Reactivate inactive users”). Exploiting this vulnerability requires an attacker to be authorized by the identity provider and requires that the plugin’s configuration option “User Update Method” have the “Update from SAML Attributes” value.

Affected configurations

NVD
Node
atlassiansaml_single_sign_onRange2.4.03.0.3bamboo
OR
atlassiansaml_single_sign_onRange2.4.03.0.3bitbucket
OR
atlassiansaml_single_sign_onRange3.1.03.2.2confluence
OR
atlassiansaml_single_sign_onRange3.1.03.2.2jira

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

6 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

41.5%

Related for CVE-2019-13347