CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
EPSS
Percentile
99.7%
Shibboleth Authentication module allows users to log in and get permissions based on federated (SAML2) authentication.
The roles that are assigned to users are based on a matching list. A malicious attacker can delete matching rules from the list by getting the administratorโs browser to make a request to a specially-crafted URL while the administrator is logged in.
Drupal core is not affected. If you do not use the contributed Shibboleth authentication module,
there is nothing you need to do.
Install the latest version:
Also see the Shibboleth authentication project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/shib_auth
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/2301194
www.drupal.org/user/250470
www.drupal.org/user/496918
www.drupal.org/writing-secure-code