CyberSec.Space Logo
Back to CVE Browser

CVE-2021-37843

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0070%
EPSS Percentile34.11th
PublishedAug 2, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is known (i.e., no other authentication is provided). The fixed versions are for Jira: 3.6.6.1, 4.0.12, 5.0.5; for Confluence 3.6.6, 4.0.12, 5.0.5; for Bitbucket 2.5.9, 3.6.6, 4.0.12, 5.0.5; for Bamboo 2.5.9, 3.6.6, 4.0.12, 5.0.5; and for Fisheye 2.5.9.

Affected Platforms (CPE)

πŸ“¦
Atlassian

Saml Single Sign On

< 2.5.9
πŸ“¦
Atlassian

Saml Single Sign On

< 2.5.9
πŸ“¦
Atlassian

Saml Single Sign On

< 2.5.9
πŸ“¦
Atlassian

Saml Single Sign On

< 3.5.6
πŸ“¦
Atlassian

Saml Single Sign On

< 3.6.6.1
πŸ“¦
Atlassian

Saml Single Sign On

>= 3.0.0 and < 3.6.6
πŸ“¦
Atlassian

Saml Single Sign On

>= 3.0.0 and < 3.6.6
πŸ“¦
Atlassian

Saml Single Sign On

>= 3.6.0 and < 3.6.6.1
πŸ“¦
Atlassian

Saml Single Sign On

>= 4.0.0 and < 4.0.12
πŸ“¦
Atlassian

Saml Single Sign On

>= 4.0.0 and < 4.0.12
πŸ“¦
Atlassian

Saml Single Sign On

>= 4.0.0 and < 4.0.12
πŸ“¦
Atlassian

Saml Single Sign On

>= 4.0.0 and < 4.0.12
πŸ“¦
Atlassian

Saml Single Sign On

>= 5.0.0 and < 5.0.5
πŸ“¦
Atlassian

Saml Single Sign On

>= 5.0.0 and < 5.0.5
πŸ“¦
Atlassian

Saml Single Sign On

>= 5.0.0 and < 5.0.5
πŸ“¦
Atlassian

Saml Single Sign On

>= 5.0.0 and < 5.0.5

References & Advisories

πŸ”— https://wiki.resolution.de/doc/saml-sso/5.0.x/all/security-advisories/2021-07-29-authentication-bypass-network-attacker-can-login-to-users-accounts-when-usernames-are-known
πŸ”— https://wiki.resolution.de/doc/saml-sso/5.0.x/all/security-advisories/2021-07-29-authentication-bypass-network-attacker-can-login-to-users-accounts-when-usernames-are-known

Related Vulnerabilities

CVE-2020-202110.0

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option i...

CVE-2021-438349.1

eLabFTW is an electronic lab notebook manager for research teams. In versions prior to 4.2.0 there is a vulnerability which allows...

CVE-2019-17148.6

A vulnerability in the implementation of Security Assertion Markup Language (SAML) 2.0 Single Sign-On (SSO) for Clientless SSL VPN...

CVE-2020-54257.9

Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x versions prior to 1.12.4 and 1.13.x prior to 1.13.1 are vulne...