CVE-2024-52311

MEDIUM

Data All - Auth Bypass

Title source: llm

Description

Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.

References (3)

[Vendor Advisory] https://aws.amazon.com/security/security-bulletins/AWS-2024-013

[Vendor Advisory] https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v

[Release Notes] https://github.com/data-dot-all/dataall/releases/tag/v2.6.1

Scores

CVSS v3 6.3

EPSS 0.0031

EPSS Percentile 54.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (1)

amazon/data.all 1.0.0 - 2.6.1

Published Nov 09, 2024

Tracked Since Feb 18, 2026