critical
9.8
CWE
295
Advisory Published
Updated

CVE-2022-26493: miniOrange SAML Authentication Bypass

First published: Fri Jun 03 2022(Updated: )

Xecurify's miniOrange Premium, Standard, and Enterprise Drupal SAML SP modules possess an authentication and authorization bypass vulnerability. An attacker with access to a HTTP-request intercepting method is able to bypass authentication and authorization by removing the SAML Assertion Signature - impersonating existing users and existing roles, including administrative users/roles. This vulnerability is not mitigated by configuring the module to enforce signatures or certificate checks. Xecurify recommends updating miniOrange modules to their most recent versions. This vulnerability is present in paid versions of the miniOrange Drupal SAML SP product affecting Drupal 7, 8, and 9.

Credit: mlhess@drupal.org

Affected SoftwareAffected VersionHow to fix
Drupal Saml Sp 2.0 Single Sign On>=7.x<=7.x-2.57
Drupal Saml Sp 2.0 Single Sign On>=8.x<=8.x-2.24

Remedy

The open source version of this module is not impacted. For Drupal 8/9: miniOrange Premium users should upgrade their miniOrange modules to version 30.5 or higher. miniOrange Standard users should upgrade their miniOrange modules to version 20.3 or higher. miniOrange Enterprise users should upgrade their miniOrange modules to version 40.4 or higher. For Drupal 7: miniOrange Premium users should upgrade their miniOrange modules to version 30.2 or higher. miniOrange Standard users should upgrade their miniOrange modules to version 20.2 or higher. miniOrange Enterprise users should upgrade their miniOrange modules to version 40.2 or higher. All users should ensure certificate and SAML signature enforcement are enabled.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-26493?

    CVE-2022-26493 is a vulnerability found in Xecurify's miniOrange Premium, Standard, and Enterprise Drupal SAML SP modules that allows an attacker to bypass authentication and authorization.

  • How severe is CVE-2022-26493?

    CVE-2022-26493 has a severity rating of 8.8, which is considered critical.

  • Which software is affected by CVE-2022-26493?

    The Drupal SAML SP modules, specifically version 7.x-2.57 and earlier, and version 8.x-2.24 and earlier, are affected by CVE-2022-26493.

  • How can an attacker exploit CVE-2022-26493?

    An attacker with access to a HTTP-request intercepting method can exploit CVE-2022-26493 by removing the SAML Assertion Signature to bypass authentication and authorization.

  • Is there a fix for CVE-2022-26493?

    At the moment, there is no official fix available for CVE-2022-26493. It is recommended to monitor for updates from the vendor.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203