Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014
  • Date: Wed, 2 Jun 2021 17:46:32 +0000 (UTC)
  • Authentication-results: mail02.piratenpartei.de; dkim=none; spf=pass (mail02.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2021-014

Project: OpenID Connect / OAuth client [1]
Date: 2021-June-02
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module allows users to authenticate against an Oauth 2.0 / OpenID
Connect identity provider to login to your Drupal site.

The module doesn't sufficiently protect against unauthorized local access, by
way of using the 'password reset' facility, for users who are supposed to
only be able to log in through the identity provider. This creates a scenario
where after such a user is blocked from logging in through the identity
provider but not explicitly blocked in Drupal, they are still able to log in
by sending themselves a Drupal 'password reset' e-mail.

Solution: 
Install the latest version:

* If you use the openid_connect module for Drupal 8/9, upgrade to
openid_connect 8.x-1.1 [3]
* If you use the openid_connect module for Drupal 7, upgrade to
openid_connect 7.x-1.0 [4]

Reported By: 
* Jeffrey Bertoen [5]

Fixed By: 
* João Ventura [6]
* Philip Frilling [7]
* Jeffrey Bertoen [8]

Coordinated By: 
* Greg Knaddison [9] of the Drupal Security Team
* Drew Webber [10] of the Drupal Security Team


[1] https://www.drupal.org/project/openid_connect
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/openid_connect/releases/8.x-1.1
[4] https://www.drupal.org/project/openid_connect/releases/7.x-1.0
[5] https://www.drupal.org/user/2733365
[6] https://www.drupal.org/user/122464
[7] https://www.drupal.org/user/169695
[8] https://www.drupal.org/user/2733365
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014, security-news, 02.06.2021

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang