From Bugcrowd:

The app allows to configure SSO for authentication. Admins must specify workspace id for their SSO configuration so that users can use SSO authentication. The workspace id must be unique, i.e. there must be no workspace with the same id or any other instance. And there is a validation that checks that the workspace id is available. However, there is no validation when SSO configuration is created. One can send a request to create SSO configuration and specify existing workspace id. After that SSO authentication for the specified workspace id stops working and login url returns error.

Steps to reproduce:

1. Log in to the victim's instance

2. Go to https://<VICTIM_INSTANCE>.atlassian.net/plugins/servlet/ac/ovh.atlasinc.jira.jira-share/jira-external-general-page

3. On the SSO configuration tab click Create new configuration

4. Fill all required fields (for this PoC it is not required that SSO works correctly, so you can fill any certificate value)

5. Copy the Service Provider Login Url value from the bottom and save the configuration

6. Try to open the copied login url and ensure that it redirects you to SSO log in page

7. Log in to the attacker's instance

8. Go to https://<ATTACKER_INSTANCE>.atlassian.net/plugins/servlet/ac/ovh.atlasinc.jira.jira-share/jira-external-general-page

9. On the SSO configuration tab click Create new configuration

10. Fill all required fields, ensure that when you enter the victim's workspace id the app says that it is not available, so set any available id, click Save & Check SSO and intercept the request to /api/saml/configuration/<ID> in Burp Suite

11. Change the workspace value to the victim's workspace id and process the request

12. Go to the victim's login url (https://jira.external-share.com/api/saml/login?workspace=<WORKSPACE>) and check that it is no longer working