CVE-2019-13347

Name of the Vulnerable Software and Affected Versions Atlassian Jira versions 3.1.0 through 3.2.2 Atlassian Confluence versions 3.1.0 through 3.2.2 Atlassian Bitbucket versions 2.4.0 through 3.0.3 Atlassian Bamboo versions 2.4.0 through 2.5.2

Description The issue affects the SAML Single Sign On (SSO) plugin, allowing locally disabled users to reactivate their accounts by browsing the affected instance. This can occur even when the "Reactivate inactive users" configuration option is disabled. Exploitation requires authorization by the identity provider and the "User Update Method" to be set to "Update from SAML Attributes".

Recommendations For Atlassian Jira versions 3.1.0 through 3.2.2, update the SAML SSO plugin configuration to prevent reactivation of inactive users. For Atlassian Confluence versions 3.1.0 through 3.2.2, update the SAML SSO plugin configuration to prevent reactivation of inactive users. For Atlassian Bitbucket versions 2.4.0 through 3.0.3, update the SAML SSO plugin configuration to prevent reactivation of inactive users. For Atlassian Bamboo versions 2.4.0 through 2.5.2, update the SAML SSO plugin configuration to prevent reactivation of inactive users. As a temporary workaround, consider disabling the User Update Method set to Update from SAML Attributes until a patch is available.