Description
AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/awslabs/aws-dataall/security/advisories/GHSA-m922-chh7-8qcr
Patch x_refsource_misc
https://github.com/awslabs/aws-dataall/pull/472
Release Notes x_refsource_misc
https://github.com/awslabs/aws-dataall/releases/tag/v1.5.2
Release Notes x_refsource_misc
https://github.com/awslabs/aws-dataall/releases/tag/v1.5.4
Scores
CVSS v3
8.0
EPSS
0.0326
EPSS Percentile
87.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
amazon/aws-dataall
1.2.0 - 1.5.1
Published
Jun 28, 2023
Tracked Since
Feb 18, 2026