The Drupal security team announced a moderately critical access bypass vulnerability SA-CONTRIB-2022-002 in Simple OAuth (OAuth2) & OpenID Connect on 2022, January 5th. This module is used to implement OAuth 2.0 authentication for Drupal.

The vulnerability is because the module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected.

You May Like

Interview

FLDC Featured Speaker Aubrey Sambor on CSS Color Innovations

Interview

FLDC Featured Speaker Aubrey Sambor on CSS Color Innovations

This vulnerability is mitigated as the vast majority of OAuth 2.0 clients out there are public, not confidential. Also, all affected grant types still require users to authenticate to Drupal during the OAuth flow.

The implicit grant type is insecure (and still requires user authentication) and is disabled by default. Sites at risk of information disclosure would be specifically configured to restrict access based on the OAuth client's confidentiality status and configured scopes, not only traditional Drupal user permissions and roles.

Further mitigation includes configuring allowed redirect URIs for clients. This is an OAuth best practice for guarding against man-in-the-middle attacks on authorization codes and prevents redirection to imposter clients.

Solution

If you use the simple_oauth module for Drupal 8.x, upgrade to simple_oauth-8.x-4.6, 5.0.6 or 5.2.0.

Important note: 8.x-4.6 will be the last release for the D8.x-4.x branch. Support for this major version will end on February 28, 2022. The upgrade path to 5.x is easy, supported and well-tested. All users of versions < 5 should upgrade to 5.2.0. The 5.0.x version will be supported until July 31, 2022.

Source: https://www.drupal.org/sa-contrib-2022-002