Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN755
_____________________________________________________________________

DATE                : 31/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Simple OAuth (OAuth2) & OpenID 
                           Connect versions 6 prior to 6.0.7.

=====================================================================
https://www.drupal.org/sa-contrib-2025-114
_____________________________________________________________________

Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass -
SA-CONTRIB-2025-114

Project: Simple OAuth (OAuth2) & OpenID Connect
Date: 2025-October-29
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Access bypass
Affected versions: >=6.0.0 <6.0.7
CVE IDs: CVE-2025-12466
Description: 

This module introduces an OAuth 2.0 authorization server, which can be
configured to protect your Drupal instance with access tokens, or
allow clients to request new access tokens and refresh them.

The module doesn't sufficiently respect granted scopes, it affects all
access checks that are based on roles. For example: routes that have
the _role requirement, can be bypassed with an access token.

This vulnerability is mitigated by the fact that an attacker must have
the access token in possession and the user related to the token must
have the associated (role requirement) roles assigned.

Update: the Affected versions field was updated to reflect that this
vulnerability was present in the 6.0.0 release and fixed in 6.0.7.
Earlier versions of this advisory incorrectly stated that other
versions were affected.


Solution: 

Install the latest version:

    If you use the "Simple OAuth (OAuth2) & OpenID Connect" module for
Drupal, upgrade to Simple OAuth (OAuth2) & OpenID Connect 6.0.7


Reported By: 

    coffeemakr 


Fixed By: 

    Bojan Bogdanovic (bojan_dev)
    coffeemakr
    Juraj Nemec (poker10) of the Drupal Security Team 


Coordinated By: 

    Greg Knaddison (greggles) of the Drupal Security Team
    Juraj Nemec (poker10) of the Drupal Security Team 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================