CVE-2024-52311

data.all does not invalidate authentication token upon user logout

CVSS 5.3 MEDIUMEPSS 0.5%CWE-613

Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Produtos afetados

amazon · data.all

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://aws.amazon.com/security/security-bulletins/AWS-2024-013 https://github.com/data-dot-all/dataall/releases/tag/v2.6.1 https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v