====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN573
_____________________________________________________________________

DATE                : 16/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal OAuth Server versions 8.x
                                     prior to 8.x-1.1.

=====================================================================
https://www.drupal.org/sa-contrib-2020-034
_____________________________________________________________________

Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) -
Moderately critical - SQL Injection - SA-CONTRIB-2020-034

Project:        Drupal OAuth Server ( OAuth Provider) - Single Sign On
                  ( SSO )
Date:           2020-October-14
Security risk:
Moderately critical 12∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default
Vulnerability:  SQL Injection


Description:

This module enables you login into any OAuth 2.0 compliant application
using Drupal credentials.

The 8.x branch of the module is vulnerable to SQL injection.


Solution:

Install the latest version:

    If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to
8.x-1.1


Reported By:

    Jakub Piasecki


Fixed By:

    Gaurav Sood
    Greg Knaddison of the Drupal Security Team
    Samuel Mortenson of the Drupal Security Team


Coordinated By:

    Michael Hess of the Drupal Security Team


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================