SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006
Project: SAML Service Provider Date: 2020-March-11 Security risk: Critical 15∕25 Vulnerability: Access bypass
This module enables you to authenticate Drupal users using an external SAML Identity Provider.
If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.
This vulnerability is mitigated by the fact that user accounts created in this way have only default roles, which may not have access significantly beyond that of an anonymous user. To mitigate the vulnerability without upgrading sites could disable public registration.
Install the latest version: