View online: https://www.drupal.org/sa-contrib-2024-025
Project: Acquia DAM [1] Date: 2024-June-05 Security risk: *Moderately critical* 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass, Denial of Service
Affected versions: <1.0.13 || >=1.1.0 <1.1.0-beta3 Description: Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.
The module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.
Solution: Install the latest version:
* If you use the acquia_dam module for Drupal 9.4 or above, upgrade to Acquia DAM 1.0.13 [3]. * If you use a pre-release version of acquia_dam 1.1, upgrade to Acquia DAM 1.1.0-beta3 [4]. (Note: beta releases generally do not receive security coverage.)
Reported By: * Matt Glaman [5]
Fixed By: * Matt Glaman [6] * Greg Knaddison [7] of the Drupal Security Team * Balázs Ertl-Bakos [8] * Jakob Perry [9]
Coordinated By: * Greg Knaddison [10] of the Drupal Security Team * xjm [11] of the Drupal Security Team
[1] https://www.drupal.org/project/acquia_dam [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/acquia_dam/releases/1.0.13 [4] https://www.drupal.org/project/acquia_dam/releases/1.1.0-beta3 [5] https://www.drupal.org/user/2416470 [6] https://www.drupal.org/user/2416470 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/1086292 [9] https://www.drupal.org/user/45640 [10] https://www.drupal.org/user/36762 [11] https://www.drupal.org/user/65776