Date published |
|
|---|---|
Summary | Faulty URL sanitization allows remote attackers to inject arbitrary web script or HTML via URL parameters on the SAML POST binding login servlet in Kantega SSO Enterprise . |
Affected apps | Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira |
Affected versions | All versions between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 and 6.0.0 - 6.19.0 |
Affected product feature | Identity Providers > SAML > Advanced SAML Settings > POST binding |
Patched versions | Starting from 6.20.0. Backport patch: 5.11.5 |
Subscribe to our security and critical updates mailing list if you would like to receive updates about announcements like this per email.
Summary of vulnerability
SAML SSO configurations using SAML POST binding (configured in Advanced SAML settings) are vulnerable to cross-site scripting through HTML injection in URL parameters. The vulnerability only applies if you have activated Enable POST binding in Identity Providers > your identity provider > Advanced SAML settings:
Affected Kantega SSO Enterprise versions
The below table highlights which versions are affected. We have released a patch in version 6.20.0 of Kantega SSO Enterprise for all host products, and a backport version in 5.11.5.
Affected apps | Vulnerability criteria | Fixes |
|---|---|---|
Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Server | Your installation is vulnerable to the exploit if all the following statements are true:
| Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Server | Your installation is vulnerable to the exploit if all the following statements are true:
| Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Data Center Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Server | Your installation is vulnerable to the exploit if all the following statements are true:
| Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Server Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Data Center | Your installation is vulnerable to the exploit if all the following statements are true:
Same as for Server, but only versions between 5.6.2 - 6.19.0 | Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5 Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Your installation is vulnerable to the exploit if all the following statements are true:
| Option 1: Downgrade Kantega SSO Enterprise to version 4.4.1 or temporarily workaround and wait for update to 4.14.9 (we are working on a backport, it will be available soon) Option 2: Disable POST binding in advanced SAML settings and use default redirect binding Option 3: Configure a new Identity provider using OpenID Connect and disable SAML |
Support
Are you worried, or have any questions about the vulnerability? Reach out to our support team in our help center or send an email to security@kantega-sso.com, and we will assist you.
Changelog
Updates about backport version and support contact
Updates about remediation
Initial publication