Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014 - Security-news

6 Feb 2019


      View online: https://www.drupal.org/sa-contrib-2019-014
Project: Acquia Connector [1]
Date: 2019-February-06
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description: 
Acquia Connector facilitates sending certain telemetry data to Acquia for the
purposes of analysis. The module automates the collection of site information
to speed support communication and issue resolution. It is required for use
with the Acquia Insight service.
The module does not properly enforce access control in a specific case, which
can lead to disclosing information.
The vulnerability is mitigated by requiring the module diff feature to be
enabled. This feature is enabled by default.
Solution: 
Install the latest version:
* If you use the Acquia Connector module for Drupal 7.x, upgrade to Acquia
     Connector 7.x-3.4 [3]
   * If you use the Acquia Connector module for Drupal 8.x, upgrade to Acquia
     Connector 8.x-1.16 [4]
This vulnerability can be mitigated by unchecking /Source code/ under /Allow
collection and examination of the following items/ on the Acquia Subscription
settings (in Drupal 7) or Acquia Connector settings (in Drupal 8) page. The
settings page is under Administration -> Configuration -> System.
For Drupal 7, this setting can also be disabled by setting the
acquia_spi_module_diff_data variable to FALSE. Using Drush:
drush vset acquia_spi_module_diff_data FALSE
For Drupal 8, this setting can also be disabled by setting the
spi.module_diff_data key within the acquia_connector.settings configuration
setting to 0. Using Drush:
drush config-set acquia_connector.settings spi.module_diff_data 0
Also see the Acquia Connector [5] project page.
Reported By: 
   * Samuel Mortenson [6] of the Drupal Security Team
Fixed By: 
   * Mark Trapp [7]
   * Vlad Pavlovic [8]
Coordinated By: 
   * Greg Knaddison [9] of the Drupal Security Team
   * Cash Williams [10] of the Drupal Security Team
[1] https://www.drupal.org/project/acquia_connector
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/acquia_connector/releases/7.x-3.4
[4] https://www.drupal.org/project/acquia_connector/releases/8.x-1.16
[5] https://www.drupal.org/project/acquia_connector
[6] https://www.drupal.org/user/2582268
[7] https://www.drupal.org/user/212019
[8] https://www.drupal.org/user/92673
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/421070