CVE-2024-52313

An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AMZNCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
VendorProductVersion
amazondata.all
1.0.0 ≤
𝑥
< 2.6.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://aws.amazon.com/security/security-bulletins/AWS-2024-013
https://github.com/data-dot-all/dataall/releases/tag/v2.6.1
https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c