shib_auth Moderately Critical - Multiple vulnerabilities

* Advisory ID: DRUPAL-SA-CONTRIB-2017-043
* Project: Shibboleth authentication
* Version: 7.x
* Date: 2017-May-03
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Access bypass, Information Disclosure


This module enables you to login via Shibboleth.

The module doesn't sufficiently logout the user when the shib session
expires, which depending on the caching mechanism makes private data public.

This vulnerability is mitigated by the fact that shib_auth would have to be
used in combination with a caching mechanism which caches content for
authenticated users.


* 7.x-4.x versions prior to 7.x-4.4.

Drupal core is not affected. If you do not use the contributed Shibboleth
authentication module, there is nothing you need to do.


Install the latest version:

* If you use the shib_auth module for Drupal 7.x, upgrade to shib_auth

Also see the Shibboleth authentication project page:

Add new comment