PT-2024-35173 · Amazon · Alldata
Noah-Paige
·
Published
2024-11-08
·
Updated
2025-10-14
·
CVE-2024-52313
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Amazon data.all versions <=2.6.0
Description
An authenticated data.all user can manipulate a
getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not be able to fetch by directly querying the object via getEnvironment in data.all. This issue is related to incorrect authorization and can be remotely exploited.Recommendations
For Amazon data.all versions <=2.6.0, upgrade to a patched version immediately to resolve the issue. As a temporary workaround, consider restricting access to the
getDataset query to minimize the risk of exploitation.Fix
Incorrect Authorization
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alldata