DRUPAL-CONTRIB-2022-002

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/simple_oauth/DRUPAL-CONTRIB-2022-002.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2022-002
Published
2022-01-05T17:12:29Z
Modified
2025-12-10T23:32:21.304458Z
Summary
[none]
Details

This module enables you to implement OAuth 2.0 authentication for Drupal.

The module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected.

This vulnerability is mitigated by the fact that the vast majority of OAuth 2.0 clients in the wild are public, not confidential. Furthermore, all affected grant types still require users to authenticate to Drupal during the OAuth flow.

The implicit grant type is insecure for other reasons (and still requires user authentication) and is disabled by default.

Sites at risk of information disclosure would be specifically configured to restrict access based on the OAuth client's confidentiality status and configured scopes, not only traditional Drupal user permissions and roles.

Further mitigation includes configuring allowed redirect URIs for clients. This is an OAuth best practice for guarding against man-in-the-middle attacks on authorization codes, and prevents redirection to imposter clients.

Anyone implementing OAuth 2.0 on their Drupal site is also encouraged to review the relevant RFCs and Internet-Drafts pertaining to OAuth security.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/simple_oauth

Package

Name
drupal/simple_oauth
Purl
pkg:composer/drupal/simple_oauth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.6.0
Database specific
{
    "constraint": "<4.6.0"
}
Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.6
Database specific
{
    "constraint": ">=5.0.0 <5.0.6"
}

Database specific

source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/simple_oauth/DRUPAL-CONTRIB-2022-002.json"
affected_versions
"<4.6.0 || >=5.0.0 <5.0.6"