Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014
  • Date: Wed, 6 Feb 2019 18:41:47 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2019-014

Project: Acquia Connector [1]
Date: 2019-February-06
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
Acquia Connector facilitates sending certain telemetry data to Acquia for the
purposes of analysis. The module automates the collection of site information
to speed support communication and issue resolution. It is required for use
with the Acquia Insight service.

The module does not properly enforce access control in a specific case, which
can lead to disclosing information.

The vulnerability is mitigated by requiring the module diff feature to be
enabled. This feature is enabled by default.

Solution: 
Install the latest version:

* If you use the Acquia Connector module for Drupal 7.x, upgrade to Acquia
Connector 7.x-3.4 [3]
* If you use the Acquia Connector module for Drupal 8.x, upgrade to Acquia
Connector 8.x-1.16 [4]

This vulnerability can be mitigated by unchecking /Source code/ under /Allow
collection and examination of the following items/ on the Acquia Subscription
settings (in Drupal 7) or Acquia Connector settings (in Drupal 8) page. The
settings page is under Administration -> Configuration -> System.

For Drupal 7, this setting can also be disabled by setting the
acquia_spi_module_diff_data variable to FALSE. Using Drush:

drush vset acquia_spi_module_diff_data FALSE
For Drupal 8, this setting can also be disabled by setting the
spi.module_diff_data key within the acquia_connector.settings configuration
setting to 0. Using Drush:

drush config-set acquia_connector.settings spi.module_diff_data 0
Also see the Acquia Connector [5] project page.

Reported By: 
* Samuel Mortenson [6] of the Drupal Security Team

Fixed By: 
* Mark Trapp [7]
* Vlad Pavlovic [8]

Coordinated By: 
* Greg Knaddison [9] of the Drupal Security Team
* Cash Williams [10] of the Drupal Security Team


[1] https://www.drupal.org/project/acquia_connector
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/acquia_connector/releases/7.x-3.4
[4] https://www.drupal.org/project/acquia_connector/releases/8.x-1.16
[5] https://www.drupal.org/project/acquia_connector
[6] https://www.drupal.org/user/2582268
[7] https://www.drupal.org/user/212019
[8] https://www.drupal.org/user/92673
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/421070

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014, security-news, 06.02.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang