CVE-2021-37843
📋 TL;DR
CVE-2021-37843 is an authentication bypass vulnerability in resolution SAML SSO apps for Atlassian products that allows remote attackers to log into user accounts with only a known username, requiring no other authentication. This affects multiple Atlassian products including Jira, Confluence, Bitbucket, Bamboo, and Fisheye. Organizations using vulnerable versions of these products with resolution SAML SSO are at risk.
💻 Affected Systems
- Jira
- Confluence
- Bitbucket
- Bamboo
- Fisheye
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts, allowing attackers to access sensitive data, modify configurations, escalate privileges, and potentially pivot to other systems.
Likely Case
Unauthorized access to user accounts leading to data theft, privilege escalation, and potential lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, monitoring, and access controls are in place, but authentication bypass still poses significant risk.
🎯 Exploit Status
Exploitation requires only a known username and network access to the vulnerable system. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jira: 3.6.6.1, 4.0.12, 5.0.5; Confluence: 3.6.6, 4.0.12, 5.0.5; Bitbucket: 2.5.9, 3.6.6, 4.0.12, 5.0.5; Bamboo: 2.5.9, 3.6.6, 4.0.12, 5.0.5; Fisheye: 2.5.9
Restart Required: Yes
Instructions:
1. Identify affected Atlassian product and version. 2. Download appropriate fixed version from resolution.de. 3. Backup current configuration. 4. Install updated SAML SSO app. 5. Restart Atlassian service. 6. Verify authentication works correctly.
🔧 Temporary Workarounds
Disable resolution SAML SSO
allTemporarily disable the vulnerable resolution SAML SSO app and use alternative authentication methods
Navigate to Atlassian application administration > Manage apps > Disable resolution SAML SSO
Network isolation
linuxRestrict network access to Atlassian instances to trusted IP ranges only
iptables -A INPUT -p tcp --dport [atlassian_port] -s [trusted_ip_range] -j ACCEPT
iptables -A INPUT -p tcp --dport [atlassian_port] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted sources only
- Enable detailed authentication logging and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check Atlassian application > Manage apps > Installed apps for resolution SAML SSO version. Compare with vulnerable versions listed in advisory.Check Version:
Check via Atlassian application UI: Administration > Manage apps > resolution SAML SSOVerify Fix Applied:
Verify resolution SAML SSO app version is updated to fixed version. Test authentication with known username only - should fail without proper credentials.📡 Detection & Monitoring
Log Indicators:
- Successful logins without corresponding authentication events
- Multiple failed login attempts followed by success from same source
- Logins from unusual IP addresses or locations
Network Indicators:
- HTTP requests to SAML endpoints without proper authentication parameters
- Unusual authentication traffic patterns
SIEM Query:
source="atlassian.log" AND (event="login successful" AND NOT event="authentication successful")🔗 References
- https://wiki.resolution.de/doc/saml-sso/5.0.x/all/security-advisories/2021-07-29-authentication-bypass-network-attacker-can-login-to-users-accounts-when-usernames-are-known
- https://wiki.resolution.de/doc/saml-sso/5.0.x/all/security-advisories/2021-07-29-authentication-bypass-network-attacker-can-login-to-users-accounts-when-usernames-are-known
