Search criteria
10 vulnerabilities found for data.all by amazon
CVE-2024-52314 (GCVE-0-2024-52314)
Vulnerability from nvd – Published: 2024-11-09 00:43 – Updated: 2025-10-14 19:01
VLAI?
Title
data.all admin user may access potentially sensitive data stored by producers via logs
Summary
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.
Severity ?
4.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:13:11.276356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:16:33.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:01:19.396Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all admin user may access potentially sensitive data stored by producers via logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52314",
"datePublished": "2024-11-09T00:43:10.397Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:01:19.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52313 (GCVE-0-2024-52313)
Vulnerability from nvd – Published: 2024-11-09 00:43 – Updated: 2025-10-14 19:26
VLAI?
Title
data.all authenticated users can obtain incorrect object level authorizations
Summary
An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:14:18.810787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:14:33.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:26:56.176Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all authenticated users can obtain incorrect object level authorizations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52313",
"datePublished": "2024-11-09T00:43:00.250Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:26:56.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52312 (GCVE-0-2024-52312)
Vulnerability from nvd – Published: 2024-11-09 00:43 – Updated: 2025-10-14 19:02
VLAI?
Title
data.all authenticated users can perform restricted operations against DataSets and Environments
Summary
Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments.
Severity ?
5.4 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:13:29.909242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:13:39.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122: Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:02:40.936Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-676j-g6g5-chj9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all authenticated users can perform restricted operations against DataSets and Environments",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52312",
"datePublished": "2024-11-09T00:43:04.986Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:02:40.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52311 (GCVE-0-2024-52311)
Vulnerability from nvd – Published: 2024-11-09 00:42 – Updated: 2025-10-14 19:25
VLAI?
Title
data.all does not invalidate authentication token upon user logout
Summary
Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.
Severity ?
6.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:18:38.020797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:18:52.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired."
}
],
"impacts": [
{
"capecId": "CAPEC-633",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-633 Token Impersonation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:25:04.120Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all does not invalidate authentication token upon user logout",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52311",
"datePublished": "2024-11-09T00:42:49.246Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:25:04.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10953 (GCVE-0-2024-10953)
Vulnerability from nvd – Published: 2024-11-09 00:42 – Updated: 2025-10-14 19:03
VLAI?
Title
data.all authenticated users can perform mutating update operations on persisted notification records
Summary
An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:17:01.070740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:17:12.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:03:41.864Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-x4j5-jm65-vp5j"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all authenticated users can perform mutating update operations on persisted notification records",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-10953",
"datePublished": "2024-11-09T00:42:55.584Z",
"dateReserved": "2024-11-06T21:15:25.078Z",
"dateUpdated": "2025-10-14T19:03:41.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52314 (GCVE-0-2024-52314)
Vulnerability from cvelistv5 – Published: 2024-11-09 00:43 – Updated: 2025-10-14 19:01
VLAI?
Title
data.all admin user may access potentially sensitive data stored by producers via logs
Summary
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.
Severity ?
4.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:13:11.276356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:16:33.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:01:19.396Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all admin user may access potentially sensitive data stored by producers via logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52314",
"datePublished": "2024-11-09T00:43:10.397Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:01:19.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52312 (GCVE-0-2024-52312)
Vulnerability from cvelistv5 – Published: 2024-11-09 00:43 – Updated: 2025-10-14 19:02
VLAI?
Title
data.all authenticated users can perform restricted operations against DataSets and Environments
Summary
Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments.
Severity ?
5.4 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:13:29.909242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:13:39.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122: Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:02:40.936Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-676j-g6g5-chj9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all authenticated users can perform restricted operations against DataSets and Environments",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52312",
"datePublished": "2024-11-09T00:43:04.986Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:02:40.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52313 (GCVE-0-2024-52313)
Vulnerability from cvelistv5 – Published: 2024-11-09 00:43 – Updated: 2025-10-14 19:26
VLAI?
Title
data.all authenticated users can obtain incorrect object level authorizations
Summary
An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:14:18.810787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:14:33.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:26:56.176Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all authenticated users can obtain incorrect object level authorizations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52313",
"datePublished": "2024-11-09T00:43:00.250Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:26:56.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10953 (GCVE-0-2024-10953)
Vulnerability from cvelistv5 – Published: 2024-11-09 00:42 – Updated: 2025-10-14 19:03
VLAI?
Title
data.all authenticated users can perform mutating update operations on persisted notification records
Summary
An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:17:01.070740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:17:12.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:03:41.864Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-x4j5-jm65-vp5j"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all authenticated users can perform mutating update operations on persisted notification records",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-10953",
"datePublished": "2024-11-09T00:42:55.584Z",
"dateReserved": "2024-11-06T21:15:25.078Z",
"dateUpdated": "2025-10-14T19:03:41.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52311 (GCVE-0-2024-52311)
Vulnerability from cvelistv5 – Published: 2024-11-09 00:42 – Updated: 2025-10-14 19:25
VLAI?
Title
data.all does not invalidate authentication token upon user logout
Summary
Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.
Severity ?
6.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:18:38.020797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:18:52.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired."
}
],
"impacts": [
{
"capecId": "CAPEC-633",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-633 Token Impersonation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:25:04.120Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all does not invalidate authentication token upon user logout",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52311",
"datePublished": "2024-11-09T00:42:49.246Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:25:04.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}