...
See the latest changes in version 5.10.35.
Compatible applications
Application | Compatible from version |
---|---|
Bamboo | 7.1.0 Server, 8.0.0 Data Center |
Bitbucket | 7.5.0 |
Confluence | 7.4.0 |
Jira | 8.11.0 |
...
Stored XSS in Kantega SSO Enterprise via Group names lead attacker to elevate a privileged user account to System admin. When script injection is stored in group names under User Management > Groups, a Select / dropdown component used on theStatus title Stored xss via group names
“Group Memberships” page,Status colour Red title oidc/saml
“Disable traditional username/password login” page andStatus colour Green title common
“Disable Kerberos for some users ” page was susceptible to stored XSS. The vulnerability is considered of low severity, since the attacker already would need to have administrative access to the system.Status colour Blue title kerberos
Thanks to Bug Bounty researcher UpdateLap for discovering this vulnerability.Patch CVE-2022-25858 found in the webpack terser plugin
Changes in 5.10.4
11:30 CET
Bugfix backup of config in Windows and other improvements
Bug fixes
A change introduced in version 5.7 of Kantega SSO Enterprise made a subtle change to file handling, which broke the creation of a backup of config file on Windows servers, because of a file lock that occured only in Windows, and passed by undiscovered in Unix-based QA.Status title Backup & restore
Improvements
The Debug info text in the Support tab now contains information from the latest OIDC/SAML test logins, and such gives a more complete image of the instance without having to send several fragments from test pages in addition to the global Debug info text.Status colour Red title support debug information
Fix debug log statement which had an inverted reasoning for blocking a requestStatus colour Yellow title api tokens
Changes in 5.10.5
16:00 CET
Improvements to fallback redirect and default parameters
Improvements
Setting up Azure AD with OIDC will now have populated default parameters for name and email .Status colour Red title Azure ad OIDC
AddedStatus colour Yellow title saml/oidc login_hint
to the redirect when FALLBACK is chosen as redirect mode.