Summary
Multiple security vulnerabilities were identified in data.all, an open source development framework for building data marketplaces on AWS. The issues affect versions 1.0.0 through 2.6.0 and include problems with authentication token invalidation, unauthorized operations on DataSets and Environments, incorrect object-level authorizations, potential access to sensitive data via logs, and unauthorized mutating update operations on notification records.
Affected Services
data.all
Remediation
Upgrade to data.all version 2.6.1 or later. Ensure any forked or derivative code is patched to incorporate the new fixes.
Tracked CVEs
CVE-2024-52311, CVE-2024-52312, CVE-2024-52313, CVE-2024-52314, CVE-2024-10953
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
-
Exploitablity Period
Until 2024/11/08
Known ITW Exploitation
-
Detection Methods
Check the installed version of data.all. If using version 2.6.0 or earlier, the system may be vulnerable. Review logs for suspicious activities related to the described vulnerabilities.
Piercing Index Rating
-
Discovered by
Amazon Web Services
