Published: 13/12/2019 Updated: 24/08/2020

CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8

CVSS v3 Base Score: 7.5 | Impact Score: 5.9 | Exploitability Score: 1.6

VMScore: 534

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

An issue exists in the SAML Single Sign On (SSO) plugin for several Atlassian products affecting versions 3.1.0 up to and including 3.2.2 for Jira and Confluence, versions 2.4.0 up to and including 3.0.3 for Bitbucket, and versions 2.4.0 up to and including 2.5.2 for Bamboo. It allows locally disabled users to reactivate their accounts just by browsing the affected Jira/Confluence/Bitbucket/Bamboo instance, even when the applicable configuration option of the plugin has been disabled ("Reactivate inactive users"). Exploiting this vulnerability requires an malicious user to be authorized by the identity provider and requires that the plugin's configuration option "User Update Method" have the "Update from SAML Attributes" value.

Vulnerable Product	Search on Vulmon	Subscribe to Product
atlassian saml single sign on

NVD-CWE-noinfo https://marketplace.atlassian.com/apps/1212129/saml-single-sign-on-sso-confluence?hosting=server&tab=overview https://wiki.resolution.de/doc/saml-sso/latest/all/security-advisories/2019-07-11-users-are-always-re-enabled-during-login-when-updated https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2019-13347

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect