CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52314 – data.all admin user may access potentially sensitive data stored by producers via logs
https://notcve.org/view.php?id=CVE-2024-52314
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data. • https://aws.amazon.com/security/security-bulletins/AWS-2024-013 https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52312 – data.all authenticated users can perform restricted operations against DataSets and Environments
https://notcve.org/view.php?id=CVE-2024-52312
Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments. • https://aws.amazon.com/security/security-bulletins/AWS-2024-013 https://github.com/data-dot-all/dataall/security/advisories/GHSA-676j-g6g5-chj9 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52313 – data.all authenticated users can obtain incorrect object level authorizations
https://notcve.org/view.php?id=CVE-2024-52313
An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all. • https://aws.amazon.com/security/security-bulletins/AWS-2024-013 https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10953 – data.all authenticated users can perform mutating update operations on persisted notification records
https://notcve.org/view.php?id=CVE-2024-10953
An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of. • https://aws.amazon.com/security/security-bulletins/AWS-2024-013 https://github.com/data-dot-all/dataall/security/advisories/GHSA-x4j5-jm65-vp5j • CWE-863: Incorrect Authorization •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52311 – data.all does not invalidate authentication token upon user logout
https://notcve.org/view.php?id=CVE-2024-52311
Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired. • https://aws.amazon.com/security/security-bulletins/AWS-2024-013 https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v • CWE-863: Incorrect Authorization •