DRUPAL-CONTRIB-2020-006

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/saml_sp/DRUPAL-CONTRIB-2020-006.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2020-006
Published
2020-03-11T15:53:32Z
Modified
2025-12-10T23:31:48.538455Z
Summary
[none]
Details

This module enables you to authenticate Drupal users using an external SAML Identity Provider.

If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.

This vulnerability is mitigated by the fact that user accounts created in this way have only default roles, which may not have access significantly beyond that of an anonymous user. To mitigate the vulnerability without upgrading sites could disable public registration.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/saml_sp

Package

Name
drupal/saml_sp
Purl
pkg:composer/drupal/saml_sp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.0
Database specific
{
    "constraint": "<3.7.0"
}

Database specific

affected_versions
"<3.7.0"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/saml_sp/DRUPAL-CONTRIB-2020-006.json"