18 matches found
CVE-2024-52314
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data...
CVE-2023-36467
AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue...
CVE-2024-52313
An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all...
CVE-2024-52314
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data...
CVE-2024-52311
Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired...
CVE-2024-52314 data.all admin user may access potentially sensitive data stored by producers via logs
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data...
CVE-2024-52314 data.all admin user may access potentially sensitive data stored by producers via logs
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data...
CVE-2024-52313 data.all authenticated users can obtain incorrect object level authorizations
An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all...
CVE-2024-52311
The CVE-2024-52311 entry concerns data.all (data-dot-all) where authentication tokens issued via Cognito are not invalidated on user logout. This allows a previously authenticated user to continue making authorized API requests until the Cognito token expires. The available connected documents id...
CVE-2024-52311 data.all does not invalidate authentication token upon user logout
Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired...
CVE-2024-52311 data.all does not invalidate authentication token upon user logout
Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired...
data.all 安全漏洞
data.all is an open source development framework from data-dot-all open source. A security vulnerability exists in data.all, which stems from the ability of an authenticated data.all user to manipulate a getDataset query to obtain additional information about a parent environment resource that th...
data.all 安全漏洞
data.all is an open source development framework from data-dot-all open source. A security vulnerability exists in data.all that stems from inconsistent authorization permissions that could allow external participants with authenticated accounts to perform restricted operations on data sets and...
PT-2024-35172 · Alldata · Alldata
Name of the Vulnerable Software and Affected Versions: data.all affected versions not specified Description: The issue is related to inconsistent authorization permissions in data.all, which may allow an external actor with an authenticated account to perform restricted operations against DataSet...
CVE-2023-36467
AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue...
CVE-2023-36467
CVE-2023-36467 concerns AWS data.all, an open-source data marketplace framework. The connected sources confirm that versions 1.2.0 through 1.5.1 are vulnerable to remote code execution when an authenticated user injects Python commands into the Template field during data pipeline configuration. T...
CVE-2023-36467 AWS data.all vulnerable to RCE through user injection of Python Commands
AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue...
PT-2023-25581 · Alldata · Alldata
Name of the Vulnerable Software and Affected Versions: data.all versions 1.2.0 through 1.5.1 Description: The issue concerns remote code execution when a user injects Python commands into the Template field while configuring a data pipeline. This can only be triggered by authenticated users...