The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is known (i.e., no other authentication is provided). The fixed versions are for Jira: 3.6.6.1, 4.0.12, 5.0.5; for Confluence 3.6.6, 4.0.12, 5.0.5; for Bitbucket 2.5.9, 3.6.6, 4.0.12, 5.0.5; for Bamboo 2.5.9, 3.6.6, 4.0.12, 5.0.5; and for Fisheye 2.5.9.
2021-08-02T19:15:08.567
2024-11-21T06:15:57.710
Modified
CVSSv3.1: 9.8 (CRITICAL)
AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | atlassian | saml_single_sign_on | < 2.5.9 | Yes |
| Application | atlassian | saml_single_sign_on | < 2.5.9 | Yes |
| Application | atlassian | saml_single_sign_on | < 2.5.9 | Yes |
| Application | atlassian | saml_single_sign_on | < 3.5.6 | Yes |
| Application | atlassian | saml_single_sign_on | < 3.6.6.1 | Yes |
| Application | atlassian | saml_single_sign_on | < 3.6.6 | Yes |
| Application | atlassian | saml_single_sign_on | < 3.6.6 | Yes |
| Application | atlassian | saml_single_sign_on | < 3.6.6.1 | Yes |
| Application | atlassian | saml_single_sign_on | < 4.0.12 | Yes |
| Application | atlassian | saml_single_sign_on | < 4.0.12 | Yes |
| Application | atlassian | saml_single_sign_on | < 4.0.12 | Yes |
| Application | atlassian | saml_single_sign_on | < 4.0.12 | Yes |
| Application | atlassian | saml_single_sign_on | < 5.0.5 | Yes |
| Application | atlassian | saml_single_sign_on | < 5.0.5 | Yes |
| Application | atlassian | saml_single_sign_on | < 5.0.5 | Yes |
| Application | atlassian | saml_single_sign_on | < 5.0.5 | Yes |