[IT-SecNots] [Security-news] SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-006

Project: SAML Service Provider [1]
Date: 2020-March-11
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module enables you to authenticate Drupal users using an external SAML
Identity Provider.

If the site is configured to allow visitors to register for user accounts but
administrator approval is required, the module doesn't sufficiently enforce
the administrative approval requirement, in the case where the requesting
user has already authenticated through SAML.

This vulnerability is mitigated by the fact that user accounts created in
this way have only default roles, which may not have access significantly
beyond that of an anonymous user. To mitigate the vulnerability without
upgrading sites could disable public registration.

Solution: 
Install the latest version:

  * If you use the SAML Service Provider module for Drupal 8.x, upgrade to
    SAML Service Provider 8.x-3.7 [3]

Also see the SAML Service Provider [4] project page.

Reported By: 
  * J Proctor  [5]

Fixed By: 
  * J Proctor [6]
  * James Glasgow  [7]

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/saml_sp
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/saml_sp/releases/8.x-3.7
[4] https://www.drupal.org/project/saml_sp
[5] https://www.drupal.org/user/1194192
[6] https://www.drupal.org/user/1194192
[7] https://www.drupal.org/user/36590
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news