CVE-2024-45440 Drupal Full Path Disclosure

CVE-2024-45440 represents a low risk to Drupal sites hosted with Acquia.

The sensitive information in question consists of exposing the full path to the codebase on any embedded error messages showing on some HTML pages.

The issue only presents in certain, unlikely circumstances, such as a configuration error in the settings.php file. This requires a developer to make changes in the codebase, such as editing settings.php and/or removing a needed file from the codebase, etc. At that point however, that Drupal site would start throwing very visible errors or warnings that would be evident in basic quality checks.

This is further mitigated by Acquia’s load balancer configuration, which intercepts 500 errors for production environments. As a result, the sensitive information described in the CVE would not be subject to leakage for production websites.

Note: this CVE was published outside the protocols of the Drupal Security Team. You can read about this discussion here: https://www.drupal.org/project/securitydrupalorg/issues/3471501

Next Steps

The issue is being actively worked by the Drupal community. See the Drupal.org issue "Maintenance pages leak sensitive environment information" for details regarding this ongoing work.

The eventual fix will be to upgrade to a Drupal version that fixes this issue.

If you are seeing messages around the CVE in Composer commands (like "composer audit"), you can choose to disable reporting this specific CVE via the projects' composer.json file, by adding this section:

{
    "config": {
        "audit": {
            "ignore": ["GHSA-mg8j-w93w-xjgc"]
        }
    }
}