Description
The OpenID Connect module provides OpenID Connect authentication for Drupal 7 sites, allowing users to authenticate using external identity providers. The module includes functionality to automatically create user accounts when users authenticate through supported OpenID Connect providers.
The module doesn't perform case-insensitive email uniqueness validation when creating new user accounts, leaving it vulnerable to duplicate account creation. Attackers could potentially exploit this by authenticating with identity providers that return email addresses in different cases, allowing the creation of multiple accounts with the same email address.
This vulnerability is mitigated by the requirement for users to be authenticated through OpenID Connect, limiting the attack surface to authenticated users. Additionally, the vulnerability depends on the identity provider returning email addresses in different cases, which may not be under the attacker's direct control in many deployment scenarios.
Solution
Install the latest version.
If you use the OpenID Connect module for Drupal 7, upgrade to OpenID Connect 7.x-1.5:
Reported by
Fixed by
Coordinated by
- Drew Webber (mcdruid) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Tag1 D7ES