[SECURITY-L] [Security-news] SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

CSIRT Unicamp security em unicamp.br
Qua Mar 11 14:58:37 -03 2020 

View online: https://www.drupal.org/sa-contrib-2020-006

Project: SAML Service Provider [1]
Date: 2020-March-11
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description:
This module enables you to authenticate Drupal users using an external SAML
Identity Provider.

If the site is configured to allow visitors to register for user accounts
but
administrator approval is required, the module doesn't sufficiently enforce
the administrative approval requirement, in the case where the requesting
user has already authenticated through SAML.

This vulnerability is mitigated by the fact that user accounts created in
this way have only default roles, which may not have access significantly
beyond that of an anonymous user. To mitigate the vulnerability without
upgrading sites could disable public registration.

Solution:
Install the latest version:

   * If you use the SAML Service Provider module for Drupal 8.x, upgrade to
     SAML Service Provider 8.x-3.7 [3]

Also see the SAML Service Provider [4] project page.

Reported By:
   * J Proctor  [5]

Fixed By:
   * J Proctor [6]
   * James Glasgow  [7]

Coordinated By:
   * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/saml_sp
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/saml_sp/releases/8.x-3.7
[4] https://www.drupal.org/project/saml_sp
[5] https://www.drupal.org/user/1194192
[6] https://www.drupal.org/user/1194192
[7] https://www.drupal.org/user/36590
[8] https://www.drupal.org/user/36762


===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20200311/09e6378b/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L