Noah-Paige

**Name of the Vulnerable Software and Affected Versions** Amazon Web Services (AWS) (affected versions not specified) **Description** The issue allows an authenticated data.all user to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amazon Cognito (affected versions not specified) **Description** The issue allows previously authenticated users to continue executing authorized API requests until their authentication token expires, even after logging out. This is because authentication tokens issued via Cognito in data.all are not invalidated on log out. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** data.all (affected versions not specified) **Description** The issue is related to inconsistent authorization permissions in data.all, which may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amazon data.all versions <=2.6.0 **Description** An authenticated data.all user can manipulate a `getDataset` query to fetch additional information regarding the parent Environment resource that the user otherwise would not be able to fetch by directly querying the object via `getEnvironment` in data.all. This issue is related to incorrect authorization and can be remotely exploited. **Recommendations** For Amazon data.all versions <=2.6.0, upgrade to a patched version immediately to resolve the issue. As a temporary workaround, consider restricting access to the `getDataset` query to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** data.all (affected versions not specified) **Description** A data.all admin team member with access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs via CloudWatch log scanning for particular operations that interact with customer producer teams data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.