Potential Data Exfiltration Through CloudWatch Log Scanning
CVE-2024-52314

6.9MEDIUM

Key Information:

Vendor

Amazon

Status
Data.all
Vendor
CVE Published:
9 November 2024

What is CVE-2024-52314?

A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.

Affected Version(s)

data.all 1.0.0 <= 2.6.0

References

https://aws.amazon.com/security/security-bulletins/AWS-20...
vendor-advisory
https://github.com/data-dot-all/dataall/security/advisori...
third-party-advisory
https://github.com/data-dot-all/dataall/releases/tag/v2.6.1
patch

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.