OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056

* Advisory ID: DRUPAL-SA-CONTRIB-2017-056
* Project: OAuth (third-party module)
* Version: 8.x
* Date: 2017-July-05
* Security risk: 15/25 ( Critical)

DESCRIPTION

This module enables you to protect requests via the OAuth authentication protocol.

The module doesn't sufficiently notify the Cache API to avoid causing responses under the scenario in which an authentication user requests a resource such as unpublished node.

This vulnerability is mitigated by the fact that an attacker must know the available resources in a Drupal site.

VERSIONS AFFECTED

* OAuth 8.x-2.x versions prior to 8.x-2.1.

Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do.

SOLUTION

In addition to updating the code, you must Clear all caches.

* If you use the OAuth module for Drupal 8.x, upgrade to OAuth 8.x-2.1

Add new comment