Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044
  • Date: Wed, 17 Nov 2021 21:57:50 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2021-044

Project: OpenID Connect Microsoft Azure Active Directory client [1]
Date: 2021-November-17
Security risk: *Moderately critical* 14∕25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access Bypass

Description: 
This module enables users to authenticate through their Microsoft Azure AD
account.

The module does not sufficiently check authorization before updating user
profile information in certain non-default configurations. This could lead a
user being able to hijack another existing account.

This vulnerability is mitigated by the fact that an attacker must have
knowledge of user accounts that have the administrator role or accounts with
the 'Set a password for local authentication' permission. In addition the
site must be configured with the 'Update email address in user profile'
setting turned on.

Solution: 
Install the latest version:

* If you use the OpenID Connect Microsoft Azure Active Directory client
module 7.x-1.x, upgrade to OpenID Connect Microsoft Azure Active Directory
client 7.x-1.2 [3]
* If you use the OpenID Connect Microsoft Azure Active Directory client
module 8.x-1.x, upgrade to OpenID Connect Microsoft Azure Active Directory
client 8.x-1.4 [4]

Reported By: 
* John Kingsnorth [5]

Fixed By: 
* John Kingsnorth [6]
* Lee Rowlands [7] of the Drupal Security Team
* Jesse Payne [8]
* Fabian de Rijk [9]

Coordinated By: 
* Greg Knaddison [10] of the Drupal Security Team


[1] https://www.drupal.org/project/openid_connect_windows_aad
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://www.drupal.org/project/openid_connect_windows_aad/releases/7.x-1.2
[4]
https://www.drupal.org/project/openid_connect_windows_aad/releases/8.x-1.4
[5] https://www.drupal.org/user/2659819
[6] https://www.drupal.org/user/2659819
[7] https://www.drupal.org/user/395439
[8] https://www.drupal.org/user/696648
[9] https://www.drupal.org/user/278745
[10] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044, security-news, 17.11.2021

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang