it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Acquia DAM - Moderately critical - Access bypass, Denial of Service - SA-CONTRIB-2024-025
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Acquia DAM - Moderately critical - Access bypass, Denial of Service - SA-CONTRIB-2024-025
- Date: Wed, 5 Jun 2024 17:13:04 +0000 (UTC)
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7046684956
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4C2E540153
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-025
Project: Acquia DAM [1]
Date: 2024-June-05
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass, Denial of Service
Affected versions: <1.0.13 || >=1.1.0 <1.1.0-beta3
Description:
Acquia DAM provides a connection to a third-party asset management system,
allowing for images to be managed, linked to, and viewed from Drupal. In
order for assets to be managed in Drupal, a site administrator must first
authenticate the site to their DAM instance.
The module doesn't sufficiently protect the ability to disconnect a site from
DAM. While disconnected sites do not lose asset data in Drupal, it will
prevent site editors from accessing the DAM until a site administrator
re-authenticates the site. Some uncached media images may also fail to be
fetched while disconnected.
Solution:
Install the latest version:
* If you use the acquia_dam module for Drupal 9.4 or above, upgrade to
Acquia DAM 1.0.13 [3].
* If you use a pre-release version of acquia_dam 1.1, upgrade to Acquia DAM
1.1.0-beta3 [4]. (Note: beta releases generally do not receive security
coverage.)
Reported By:
* Matt Glaman [5]
Fixed By:
* Matt Glaman [6]
* Greg Knaddison [7] of the Drupal Security Team
* Balázs Ertl-Bakos [8]
* Jakob Perry [9]
Coordinated By:
* Greg Knaddison [10] of the Drupal Security Team
* xjm [11] of the Drupal Security Team
[1] https://www.drupal.org/project/acquia_dam
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/acquia_dam/releases/1.0.13
[4] https://www.drupal.org/project/acquia_dam/releases/1.1.0-beta3
[5] https://www.drupal.org/user/2416470
[6] https://www.drupal.org/user/2416470
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/1086292
[9] https://www.drupal.org/user/45640
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/65776
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Acquia DAM - Moderately critical - Access bypass, Denial of Service - SA-CONTRIB-2024-025, security-news, 05.06.2024
Archiv bereitgestellt durch MHonArc 2.6.19+.