Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Date:
2021-September-22
Vulnerability:
Multiple vulnerabilities
Affected versions:
<2.24.0
Description:
This module provides a solution to authenticate visitors using existing SAML providers.
Certain non-default configurations allow a malicious user to login as any chosen user.
The vulnerability is mitigated by the module's default settings which require the options "Either sign SAML assertions" and "x509 certificate".
Solution:
Ensure that the "Either SAML response or SAML assertion must be signed" and "x509 certificate" options on the dedicated plugin page are both enabled.
Install the latest version:
- If you use the SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider module for Drupal 8.x or 9.x, upgrade to SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider 8.x-2.24
- If you use the SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider module for Drupal 7.x, upgrade to SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider 7.x-2.60
Reported By:
Fixed By:
Coordinated By:
- Damien McKenna of the Drupal Security Team
