CVE-2024-52313

An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/AWS-2024-013	Vendor Advisory
https://github.com/data-dot-all/dataall/releases/tag/v2.6.1
https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:data.all:*:*:*:*:*:*:*:*

History

14 Oct 2025, 20:15

Type	Values Removed	Values Added
CWE	~~CWE-863~~	CWE-639

14 Oct 2025, 19:15

Type	Values Removed	Values Added
References		() https://github.com/data-dot-all/dataall/releases/tag/v2.6.1 -

19 Sep 2025, 14:18

Type	Values Removed	Values Added
References	~~() https://aws.amazon.com/security/security-bulletins/AWS-2024-013 -~~	() https://aws.amazon.com/security/security-bulletins/AWS-2024-013 - Vendor Advisory
References	~~() https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c -~~	() https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c - Vendor Advisory
CPE		cpe:2.3:a:amazon:data.all::::::::
First Time		Amazon Amazon data.all

Information

Published : 2024-11-09 01:15

Updated : 2025-10-14 20:15

NVD link : CVE-2024-52313

Mitre link : CVE-2024-52313

CVE.ORG link : CVE-2024-52313

JSON object : View

Products Affected

amazon

data.all

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2024-52313", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-09T01:15:05.363", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all."}, {"lang": "es", "value": "Un usuario autenticado de data.all puede manipular una consulta getDataset para obtener informaci\u00f3n adicional sobre el recurso Environment principal que de otro modo no podr\u00eda obtener consultando directamente el objeto a trav\u00e9s de getEnvironment en data.all."}], "lastModified": "2025-10-14T20:15:32.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:data.all:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40A41C20-B492-4201-8487-8BE4B262F770", "versionEndExcluding": "2.6.1", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}