Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.
The module does not properly enforce access control in a specific case, which can lead to disclosing information.
The vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.
Install the latest version:
- If you use the Acquia Connector module for Drupal 7.x, upgrade to Acquia Connector 7.x-3.4
- If you use the Acquia Connector module for Drupal 8.x, upgrade to Acquia Connector 8.x-1.16
This vulnerability can be mitigated by unchecking Source code under Allow collection and examination of the following items on the Acquia Subscription settings (in Drupal 7) or Acquia Connector settings (in Drupal 8) page. The settings page is under Administration -> Configuration -> System.
For Drupal 7, this setting can also be disabled by setting the acquia_spi_module_diff_data variable to FALSE. Using Drush:
drush vset acquia_spi_module_diff_data FALSEFor Drupal 8, this setting can also be disabled by setting the spi.module_diff_data key within the acquia_connector.settings configuration setting to 0. Using Drush:
drush config-set acquia_connector.settings spi.module_diff_data 0Also see the Acquia Connector project page.
- Samuel Mortenson of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Cash Williams of the Drupal Security Team
