OAuth – Less Critical – Access Bypass – SA-CONTRIB-2017-006

Description

This module enables you to use the OAuth 1.a protocol to authenticate requests.

The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • OAuth 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do.

Solution

Install the latest version.

  • If you use the OAuth module for Drupal 7.x, upgrade to OAuth 7.x-3.3

Also see the OAuth project page.

Reported by

Fixed by

Coordinated by

Changelog

  • 2017-01-25: Released the advisory as unsupported module.
  • 2017-01-25: Updated the advisory as the module is supported again and a security release was made.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Leave a Reply