Acquia DAM - Moderately critical - Access bypass, Denial of Service - SA-CONTRIB-2024-025

Project: Acquia DAMDate: 2024-June-05Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypass, Denial of ServiceAffected versions: <1.0.13 || >=1.1.0 <1.1.0-beta3Description: Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.
The module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.Solution: Install the latest version:

  • If you use the acquia_dam module for Drupal 9.4 or above, upgrade to Acquia DAM 1.0.13.
  • If you use a pre-release version of acquia_dam 1.1, upgrade to Acquia DAM 1.1.0-beta3. (Note: beta releases generally do not receive security coverage.)

Reported By: 

Fixed By: 

Coordinated By: 

Path to article