This vulnerability exists in all versions of the app starting from 3.0.0.
The other four authenticators (NTLM, Kerberos, SAML and X.509) are not affected.
Unfortunately, there is no way for us to tell what specific authenticator customers like you are using, so we are informing everyone.
The possible attack is predicated on the ability of a malicious client to access Atlassian application (configured with EasySSO HTTP Header authentication) directly over the network via non-proxied access or through a proxy not configured securely. Though it was never envisioned that HTTP Headers authenticator will be deployed insecurely with the above access possible, we nevertheless accept this as a problem in our product.
We have scored the vulnerability as 8.1 (High) on CVSS base score.
Full CVSS 3.1 vector is: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C
If you or your security team has questions about the exact nature of the vulnerability - please get back in touch with us on firstname.lastname@example.org
Please do confirm first that you are actually using HTTP Headers authenticator with EasySSO (as most of our clients do not).
Here's how you can check:
In the current EasySSO versions, this can be done in Administration/Manage Add-Ons/TechTime Add-ons/EasySSO/Headers
In the older EasySSO versions, the same screen is available in Administration/Manage Add-Ons/TechTime Add-Ons/EasySSO/Advanced/Advanced Filtering Configuration/Custom Authentication
If you see no rows configured, for any headers or attributes - you are NOT affected.
If you are using HTTP Headers authenticator - please update to the latest version of EasySSO.
If the version of the base app that you run is not listed as compatible - please get back to us and we will issue a hotfix compatible with the version of the base application that you need.
We have issued versions 4.2.9 and 3.1.8 with the fix