Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014

Project: Acquia ConnectorDate: 2019-February-06Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.
The module does not properly enforce access control in a specific case, which can lead to disclosing information.
The vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.Solution: Install the latest version:

This vulnerability can be mitigated by unchecking Source code under Allow collection and examination of the following items on the Acquia Subscription settings (in Drupal 7) or Acquia Connector settings (in Drupal 8) page. The settings page is under Administration -> Configuration -> System.
For Drupal 7, this setting can also be disabled by setting the acquia_spi_module_diff_data variable to FALSE. Using Drush:

drush vset acquia_spi_module_diff_data FALSE
For Drupal 8, this setting can also be disabled by setting the spi.module_diff_data key within the acquia_connector.settings configuration setting to 0. Using Drush:

drush config-set acquia_connector.settings spi.module_diff_data 0
Also see the Acquia Connector project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article