Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-June-02
Vulnerability:
Access bypass
Affected versions:
<1.1.0
Description:
This module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site.
The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail.
Solution:
Install the latest version:
- If you use the openid_connect module for Drupal 8/9, upgrade to openid_connect 8.x-1.1
- If you use the openid_connect module for Drupal 7, upgrade to openid_connect 7.x-1.0
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Drew Webber of the Drupal Security Team
