OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014

Project: OpenID Connect / OAuth client
Date: 2021-June-02
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site.

The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail.

Solution

Install the latest version:

If you use the openid_connect module for Drupal 8/9, upgrade to openid_connect 8.x-1.1
If you use the openid_connect module for Drupal 7, upgrade to openid_connect 7.x-1.0

Nick Onom
Marketing Project Manager

Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

Drupal · Security

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014

Description

Solution

We value your opinion. Please add your feedback.