CVE-2024-52311

data.all does not invalidate authentication token upon user logout

CVSS 5.3 MEDIUMEPSS 0.5%CWE-613

Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected products

amazon · data.all

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://aws.amazon.com/security/security-bulletins/AWS-2024-013 https://github.com/data-dot-all/dataall/releases/tag/v2.6.1 https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v