diff --git a/2024/10xxx/CVE-2024-10953.json b/2024/10xxx/CVE-2024-10953.json
index 1316030d0e7..71115b0d296 100644
--- a/2024/10xxx/CVE-2024-10953.json
+++ b/2024/10xxx/CVE-2024-10953.json
@@ -1,17 +1,106 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-10953",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "aws-security@amazon.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-863 Incorrect Authorization",
+ "cweId": "CWE-863"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "amazon",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "data.all",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "1.0.0",
+ "version_value": "2.6.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013",
+ "refsource": "MISC",
+ "name": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
+ },
+ {
+ "url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-x4j5-jm65-vp5j",
+ "refsource": "MISC",
+ "name": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-x4j5-jm65-vp5j"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": " A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.
"
+ }
+ ],
+ "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
+ "version": "3.1"
}
]
}
diff --git a/2024/52xxx/CVE-2024-52311.json b/2024/52xxx/CVE-2024-52311.json
index 084c7349ae1..8b54b3197a9 100644
--- a/2024/52xxx/CVE-2024-52311.json
+++ b/2024/52xxx/CVE-2024-52311.json
@@ -1,17 +1,106 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-52311",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "aws-security@amazon.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-863 Incorrect Authorization",
+ "cweId": "CWE-863"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "amazon",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "data.all",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "1.0.0",
+ "version_value": "2.6.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013",
+ "refsource": "MISC",
+ "name": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
+ },
+ {
+ "url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v",
+ "refsource": "MISC",
+ "name": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.
"
+ }
+ ],
+ "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "LOW",
+ "baseScore": 6.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
+ "version": "3.1"
}
]
}
diff --git a/2024/52xxx/CVE-2024-52312.json b/2024/52xxx/CVE-2024-52312.json
index 92a3b564500..bafd7529718 100644
--- a/2024/52xxx/CVE-2024-52312.json
+++ b/2024/52xxx/CVE-2024-52312.json
@@ -1,17 +1,106 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-52312",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "aws-security@amazon.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-863 Incorrect Authorization",
+ "cweId": "CWE-863"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "amazon",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "data.all",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "1.0.0",
+ "version_value": "2.6.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013",
+ "refsource": "MISC",
+ "name": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
+ },
+ {
+ "url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-676j-g6g5-chj9",
+ "refsource": "MISC",
+ "name": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-676j-g6g5-chj9"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.
"
+ }
+ ],
+ "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "LOW",
+ "baseScore": 5.4,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
+ "version": "3.1"
}
]
}
diff --git a/2024/52xxx/CVE-2024-52313.json b/2024/52xxx/CVE-2024-52313.json
index c0ffdc2f0a2..3cd529b2a48 100644
--- a/2024/52xxx/CVE-2024-52313.json
+++ b/2024/52xxx/CVE-2024-52313.json
@@ -1,17 +1,106 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-52313",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "aws-security@amazon.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-863 Incorrect AuthorizationCAPEC-122",
+ "cweId": "CWE-863"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "amazon",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "data.all",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "1.0.0",
+ "version_value": "2.6.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013",
+ "refsource": "MISC",
+ "name": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
+ },
+ {
+ "url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c",
+ "refsource": "MISC",
+ "name": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.
"
+ }
+ ],
+ "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
+ "version": "3.1"
}
]
}
diff --git a/2024/52xxx/CVE-2024-52314.json b/2024/52xxx/CVE-2024-52314.json
index 215ba22ff7b..d6bc3c673f0 100644
--- a/2024/52xxx/CVE-2024-52314.json
+++ b/2024/52xxx/CVE-2024-52314.json
@@ -1,17 +1,106 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-52314",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "aws-security@amazon.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-863 Incorrect Authorization",
+ "cweId": "CWE-863"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "amazon",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "data.all",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "1.0.0",
+ "version_value": "2.6.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013",
+ "refsource": "MISC",
+ "name": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
+ },
+ {
+ "url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h",
+ "refsource": "MISC",
+ "name": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.
"
+ }
+ ],
+ "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.9,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "HIGH",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
+ "version": "3.1"
}
]
}