Kiuwan SAST Improper Authorization Vulnerability for Disabled User Accounts via SSO

A vulnerability exists in Kiuwan SAST Cloud and in Kiuwan SAST On-Premise (KOP) versions prior to 2.8.2509.4, allowing users with locally disabled accounts to access the application through Single Sign-On (SSO) authentication. This issue arises because Kiuwan SAST does not properly enforce account status for users authenticated via SSO, enabling access even when accounts have been disabled by an administrator.

Impact

Exploitation of this vulnerability allows disabled users to access the Kiuwan SAST WebUI, bypassing account restrictions. However, this issue does not affect the Kiuwan Local Analyzer (KLA) tool, which correctly verifies account status before authentication.

Reproduction

To reproduce this vulnerability, first disable a user account in the Kiuwan user settings. Then, authenticate via SSO using a service like Microsoft ADFS. Despite the account being disabled, access to the Kiuwan WebUI will be granted.

Remediation

Users of Kiuwan SAST On-Premise should upgrade to version 2.8.2509.4. For Kiuwan Cloud users, the issue has already been resolved in the latest release.