OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056

* Advisory ID: DRUPAL-SA-CONTRIB-2017-056
* Project: OAuth (third-party module)
* Version: 8.x
* Date: 2017-July-05
* Security risk: 15/25 ( Critical)


This module enables you to protect requests via the OAuth authentication protocol.

The module doesn't sufficiently notify the Cache API to avoid causing responses under the scenario in which an authentication user requests a resource such as unpublished node.

This vulnerability is mitigated by the fact that an attacker must know the available resources in a Drupal site.


* OAuth 8.x-2.x versions prior to 8.x-2.1.

Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do.


In addition to updating the code, you must Clear all caches.

* If you use the OAuth module for Drupal 8.x, upgrade to OAuth 8.x-2.1

Add new comment