View Source

Communcation by Vendor

On 08 Nov 2023 Kantega released a new version of Kantega SSO Enterprise to fix security vulnerabilities in their app related to a faulty URL parameter sanitization allows HTML injection into the SAML login page. We urge our customers to update to the latest available version of Kantega SSO Enterprise.

Summary	Faulty sanitization allows remote attackers to inject arbitrary web script or HTML via URL parameters on the SAML POST binding login servlet in Kantega SSO Enterprise.
Affected apps	Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo
Affected versions	All versions between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 and 6.0.0 - 6.19.0
Affected product feature	Identity Providers > SAML > Advanced SAML Settings > POST binding
Patched versions	Starting from 6.20.0. Backport patches: 5.11.5, 4.14.9

Date	08 Nov 2023
Product	Kantega SSO Enterprise
Vulnerability	Critical
Marketplace link	https://marketplace.atlassian.com/apps/1211923/
Base product	Jira / Confluence / Bitbucket / Bamboo
Vendor	Kantega

Recommendation by bitvoodoo

If you use this app for Jira / Confluence / Bitbucket / Bamboo, update to version 6.20.0

Support

If you need any assistance please contact the bitvoodoo support via support.bitvoodoo.ch.