Security Vulnerability: Faulty URL parameter sanitization allows HTML injection into the SAML login page

 

Date published

Nov 8, 2023

Date published

Nov 8, 2023

Summary

Faulty sanitization allows remote attackers to inject arbitrary web script or HTML via URL parameters on the SAML POST binding login servlet in Kantega SSO Enterprise.

CVE ID

CVE-2023-52240

Affected apps

Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira
Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence
Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket
Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo

Affected versions

All versions between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 and 6.0.0 - 6.19.0

Affected product feature

Identity Providers > SAML > Advanced SAML Settings > POST binding

Patched versions

Starting from 6.20.0.

Backport patches: 5.11.5, 4.14.9

 

 

Subscribe to our security and critical updates mailing list if you would like to receive updates about announcements like this per email.

Summary of vulnerability

SAML SSO configurations using SAML POST binding (configured in Advanced SAML settings) are vulnerable to cross-site scripting through HTML injection in URL parameters. The vulnerability only applies if you have activated Enable POST binding in Identity Providers > your identity provider > Advanced SAML settings:

 

Affected Kantega SSO Enterprise versions

The below table highlights which versions are affected. We have released a patch in version 6.20.0 of Kantega SSO Enterprise for all host products, and a backport version in 5.11.5.

Affected apps

Vulnerability criteria

Fixes

Affected apps

Vulnerability criteria

Fixes

Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center

Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Server

Your installation is vulnerable if all the following statements are true:

  1. You have installed a version of Kantega SSO Enterprise for Jira, Confluence, Bitbucket, Bamboo or FeCru between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 or 6.0.0 - 6.19.0

  2. You are using SAML to log in users.

  3. Within Identity Providers > SAML IDP > Advanced SAML settings, Enable POST binding is switched on

Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backports version 5.11.5 or version 4.14.9

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center

Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Server

Your installation is vulnerable to the exploit if all the following statements are true:

  1. You have installed a version of Kantega SSO Enterprise for Jira, Confluence, Bitbucket, Bamboo or FeCru between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 or 6.0.0 - 6.19.0

  2. You are using SAML to log in users.

  3. Within Identity Providers > SAML IDP > Advanced SAML settings, Enable POST binding is switched on

Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 or version 4.14.9

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Data Center

Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Server

Your installation is vulnerable if all the following statements are true:

  1. You have installed a version of Kantega SSO Enterprise for Jira, Confluence, Bitbucket, Bamboo or FeCru between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 or 6.0.0 - 6.19.0

  2. You are using SAML to log in users.

  3. Within Identity Providers > SAML IDP > Advanced SAML settings, Enable POST binding is switched on

Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 or version 4.14.9

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Server

 

 

 

 

 

 

 

 

Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Data Center

Your installation is vulnerable to the exploit if all the following statements are true:

  1. You have installed a version of Kantega SSO Enterprise for Jira, Confluence, Bitbucket, Bamboo or FeCru between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 or 6.0.0 - 6.19.0

  2. You are using SAML to log in users.

  3. Within Identity Providers > SAML IDP > Advanced SAML settings, Enable POST binding is switched on

 

Same as for Server, but only versions between 5.6.2 - 6.19.0

Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 or version 4.14.9

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

Kantega SAML SSO OIDC Kerberos Single Sign-on for FeCru

Your installation is vulnerable if all the following statements are true:

  1. You have installed a version of Kantega SSO Enterprise for Jira, Confluence, Bitbucket, Bamboo or FeCru between 4.4.2 - 4.14.8

  2. You are using SAML to log in users.

  3. Within Identity Providers > SAML IDP > Advanced SAML settings, Enable POST binding is switched on

Option 1: Update Kantega SSO Enterprise to version 4.14.9

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

Support

Please raise a ticket in our help center send an email to security@kantega-sso.com if you have any questions or concerns.

 

Changelog

Jan 4, 2024 Update summary table with CVE ID

Nov 12, 2023 More updates about backport version 4.14.9

Nov 10, 2023 Updates about backport version and support contact, and more details

Nov 9, 2023 Updates about remediation

Nov 8, 2023 Initial publication