Vulnerability from drupal
Published
2022-01-05 17:12
Modified
2023-08-11 14:06
Summary
Details

This module enables you to implement OAuth 2.0 authentication for Drupal.

The module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected.

This vulnerability is mitigated by the fact that the vast majority of OAuth 2.0 clients in the wild are public, not confidential. Furthermore, all affected grant types still require users to authenticate to Drupal during the OAuth flow.

The implicit grant type is insecure for other reasons (and still requires user authentication) and is disabled by default.

Sites at risk of information disclosure would be specifically configured to restrict access based on the OAuth client's confidentiality status and configured scopes, not only traditional Drupal user permissions and roles.

Further mitigation includes configuring allowed redirect URIs for clients. This is an OAuth best practice for guarding against man-in-the-middle attacks on authorization codes, and prevents redirection to imposter clients.

Anyone implementing OAuth 2.0 on their Drupal site is also encouraged to review the relevant RFCs and Internet-Drafts pertaining to OAuth security.

Credits
Simon Bäse www.drupal.org/user/3686593
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c4.6.0 || \u003e=5.0.0 \u003c5.0.6"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/simple_oauth"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c4.6.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "database_specific": {
            "constraint": "\u003e=5.0.0 \u003c5.0.6"
          },
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/3686593"
      ],
      "name": "Simon B\u00e4se"
    }
  ],
  "details": "This module enables you to implement OAuth 2.0 authentication for Drupal.\n\nThe module doesn\u0027t sufficiently verify client secret keys for \"confidential\" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected.\n\nThis vulnerability is mitigated by the fact that the vast majority of OAuth 2.0 clients in the wild are public, not confidential. Furthermore, all affected grant types still require users to authenticate to Drupal during the OAuth flow.\n\nThe implicit grant type is insecure for other reasons (and still requires user authentication) and is disabled by default.\n\nSites at risk of information disclosure would be specifically configured to restrict access based on the OAuth client\u0027s confidentiality status and configured scopes, not only traditional Drupal user permissions and roles.\n\nFurther mitigation includes [configuring allowed redirect URIs for clients](https://tools.ietf.org/html/rfc6819#section-5.2.3.5). This is an OAuth best practice for guarding against man-in-the-middle attacks on authorization codes, and prevents redirection to imposter clients.\n\nAnyone implementing OAuth 2.0 on their Drupal site is also encouraged to review the [relevant RFCs and Internet-Drafts](https://oauth.net/security/) pertaining to OAuth security.",
  "id": "DRUPAL-CONTRIB-2022-002",
  "modified": "2023-08-11T14:06:15.000Z",
  "published": "2022-01-05T17:12:29.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2022-002"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.