[Security-news] Acquia DAM - Moderately critical - Access bypass, Denial of Service - SA-CONTRIB-2024-025
security-news at drupal.org
security-news at drupal.org
Wed Jun 5 17:13:04 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-025
Project: Acquia DAM [1]
Date: 2024-June-05
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass, Denial of Service
Affected versions: <1.0.13 || >=1.1.0 <1.1.0-beta3
Description:
Acquia DAM provides a connection to a third-party asset management system,
allowing for images to be managed, linked to, and viewed from Drupal. In
order for assets to be managed in Drupal, a site administrator must first
authenticate the site to their DAM instance.
The module doesn't sufficiently protect the ability to disconnect a site from
DAM. While disconnected sites do not lose asset data in Drupal, it will
prevent site editors from accessing the DAM until a site administrator
re-authenticates the site. Some uncached media images may also fail to be
fetched while disconnected.
Solution:
Install the latest version:
* If you use the acquia_dam module for Drupal 9.4 or above, upgrade to
Acquia DAM 1.0.13 [3].
* If you use a pre-release version of acquia_dam 1.1, upgrade to Acquia DAM
1.1.0-beta3 [4]. (Note: beta releases generally do not receive security
coverage.)
Reported By:
* Matt Glaman [5]
Fixed By:
* Matt Glaman [6]
* Greg Knaddison [7] of the Drupal Security Team
* Balázs Ertl-Bakos [8]
* Jakob Perry [9]
Coordinated By:
* Greg Knaddison [10] of the Drupal Security Team
* xjm [11] of the Drupal Security Team
[1] https://www.drupal.org/project/acquia_dam
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/acquia_dam/releases/1.0.13
[4] https://www.drupal.org/project/acquia_dam/releases/1.1.0-beta3
[5] https://www.drupal.org/user/2416470
[6] https://www.drupal.org/user/2416470
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/1086292
[9] https://www.drupal.org/user/45640
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/65776
More information about the Security-news
mailing list