shib_auth Moderately Critical - Multiple vulnerabilities

* Advisory ID: DRUPAL-SA-CONTRIB-2017-043
* Project: Shibboleth authentication
* Version: 7.x
* Date: 2017-May-03
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Access bypass, Information Disclosure

DESCRIPTION

This module enables you to login via Shibboleth.

The module doesn't sufficiently logout the user when the shib session
expires, which depending on the caching mechanism makes private data public.

This vulnerability is mitigated by the fact that shib_auth would have to be
used in combination with a caching mechanism which caches content for
authenticated users.

VERSIONS AFFECTED

* 7.x-4.x versions prior to 7.x-4.4.

Drupal core is not affected. If you do not use the contributed Shibboleth
authentication module, there is nothing you need to do.

SOLUTION

Install the latest version:

* If you use the shib_auth module for Drupal 7.x, upgrade to shib_auth
7.x-4.4

Also see the Shibboleth authentication project page: https://www.drupal.org/project/shib_auth

Add new comment