Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.
What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could bypass authentication and gain unauthorized access to Jira or Confluence as a valid user. This may allow the attacker to view or modify content and perform actions with the same permissions as the compromised account, based on the authorization levels defined for that user within the Jira or Confluence server. How could an attacker exploit the vulnerability? An attacker could exploit this vulnerability by sending a specially crafted SSO response during the login process that tricks the system into accepting a forged identity, allowing the attacker to sign in without authenticating the user through Microsoft Entra ID. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and integrity (I:H), but could lead to no loss of availability (A:N). What does that mean for this vulnerability? This means that an attacker who successfully exploits the vulnerability could access sensitive information and modify data within Jira or Confluence based on the authorization defined for the user in those servers but availability is not impacted because the vulnerability only allows an attacker to bypass authentication and act as a legitimate user, without providing any capability to disrupt, degrade, or take down the Jira or Confluence service itself.
Robert Fitzpatrick with Microsoft