Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025
  • Date: Wed, 4 Mar 2026 18:00:42 +0000
  • Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/AS67LVGMAP5N4FSSPVZAMW6DFXUDXOCL/>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=Gu0fmywj; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=lmoeqw3u; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=pssxoTM9; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org C4DAE41FCB
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 8496340BA0
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org 8496340BA0
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-025

Project: OpenID Connect / OAuth client [1]
Date: 2026-March-04
Security risk: *Moderately critical* 10 ∕ 25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Server-side request forgery, Information disclosure

Affected versions: <1.5.0
CVE IDs: CVE-2026-3530
Description: 
This module enables you to use an external OpenID Connect login provider to
authenticate and log in users on your site. If a user signs in with a login
provider for the first time on the website, a new Drupal user will be
created.

The module doesn't sufficiently validate certain fields coming from the
identity provider, which could lead to SSRF and information disclosures.

This vulnerability is mitigated by:
- an attacker must have access to the identity provider to provide
compromised data at the source profile.
- a site must have specific field mappings configured

Solution: 
Install the latest version:

* If you use the OpenID Connect 8.x-1.x module upgrade to OpenID Connect
8.x-1.5 [3]

Reported By: 
* Drew Webber (mcdruid) [4] of the Drupal Security Team

Fixed By: 
* Drew Webber (mcdruid) [5] of the Drupal Security Team
* Philip Frilling (pfrilling) [6]

Coordinated By: 
* Damien McKenna (damienmckenna) [7] of the Drupal Security Team
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Drew Webber (mcdruid) [9] of the Drupal Security Team
* Juraj Nemec (poker10) [10] of the Drupal Security Team

------------------------------------------------------------------------------
Contribution record [11]

[1] https://www.drupal.org/project/openid_connect
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/openid_connect/releases/8.x-1.5
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/mcdruid
[6] https://www.drupal.org/u/pfrilling
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/mcdruid
[10] https://www.drupal.org/u/poker10
[11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3577063

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
  • [IT-SecNots] [Security-news] OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025, security-news, 04.03.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang