DRUPAL-CONTRIB-2021-006

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/samlauth/DRUPAL-CONTRIB-2021-006.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-006

Published

2021-04-28T16:47:09Z

Modified

2025-12-10T23:33:45.379764Z

Summary

[none]

Details

The SAML Authentication module allows users to authenticate against a SAML identity provider to login to your Drupal site.

The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail.

References

https://www.drupal.org/sa-contrib-2021-006

Credits

- Bobby Gryzynger
- - https://www.drupal.org/user/3311649
- Mark Shropshire
- - https://www.drupal.org/user/14767

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/samlauth

Package

Name: drupal/samlauth
Purl: pkg:composer/drupal/samlauth

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.1.0

Database specific

{
    "constraint": "<3.1.0"
}

Database specific

affected_versions

"<3.1.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/samlauth/DRUPAL-CONTRIB-2021-006.json"