...
Date published |
|
---|---|
Summary | Faulty URL parameter handling in SAML POST makes it possible to inject html into the login page, which makes cross-site scripting attacks possible.sanitization allows remote attackers to inject arbitrary web script or HTML via URL parameters on the SAML POST binding login servlet in Kantega SSO Enterprise. |
CVE ID | |
Affected apps | Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira |
Affected versions | All versions between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 and 6.0.0 - 6.19.0 |
Affected product feature | Identity Providers > SAML > Advanced SAML Settings > POST binding |
Patched versions | Starting from 6.20.0. Backport patchpatches: 5.11.5, 4.14.9 |
Info |
---|
Subscribe to our security and critical updates mailing list if you would like to receive updates about announcements like this per email. |
Summary of vulnerability
SAML SSO configurations using SAML POST binding (configured in Advanced SAML settings) are vulnerable to cross-site scripting through HTML injection in URL parameters. The vulnerability only applies if you have activated Enable POST binding in Identity Providers > your identity provider > Advanced SAML settings:
...
Affected Kantega SSO Enterprise versions
The below table highlights which versions are affected. We have released a patch in version 6.20.0 of Kantega SSO Enterprise for all host products, and a backport version in 5.11.5.
Affected apps | Vulnerability criteria | Fixes |
---|---|---|
Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira ServerIf you | are running SAML with POST binding: All versions Your installation is vulnerable if all the following statements are true:
| Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport backports version 5.11.5 or version 4.14.9 Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence ServerIf you are running SAML with POST binding: All | versions Your installation is vulnerable to the exploit if all the following statements are true:
| Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 or version 4.14.9 Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Data Center Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket ServerIf you | are running SAML with POST binding: All versions Your installation is vulnerable if all the following statements are true:
| Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 or version 4.14.9 Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Server Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Data CenterIf you are running SAML with POST binding: | All versions Your installation is vulnerable to the exploit if all the following statements are true:
Same as for Server, but only versions between 5.6.2 - 6.19.0 | Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 or version 4.14.9 Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Kantega SAML SSO OIDC Kerberos Single Sign-on for FeCruIf you are | running SAML with POST binding: All versions Your installation is vulnerable if all the following statements are true:
| Option 1: Downgrade Update Kantega SSO Enterprise to version 4. 4.1 or temporarily workaround and wait for update to 4.14.9 (we are working on a backport, it will be available soon) Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Support
Are you worried, or have any questions about the vulnerability? Reach out to our support team Please raise a ticket in our help center or send an email to security@kantega-sso.com, and we will assist you if you have any questions or concerns.
Info |
---|
Changelog Update summary table with CVE ID More updates about backport version 4.14.9 Updates about backport version and support contact, and more details Updates about remediation Initial publication |
...