CVE-2024-52313

An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/AWS-2024-013	Vendor Advisory
https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:data.all:*:*:*:*:*:*:*:*

History

19 Sep 2025, 14:18

Type	Values Removed	Values Added
CPE		cpe:2.3:a:amazon:data.all::::::::
References	~~() https://aws.amazon.com/security/security-bulletins/AWS-2024-013 -~~	() https://aws.amazon.com/security/security-bulletins/AWS-2024-013 - Vendor Advisory
References	~~() https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c -~~	() https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c - Vendor Advisory
First Time		Amazon data.all Amazon

12 Nov 2024, 13:56

Type	Values Removed	Values Added
Summary		(es) Un usuario autenticado de data.all puede manipular una consulta getDataset para obtener información adicional sobre el recurso Environment principal que de otro modo no podría obtener consultando directamente el objeto a través de getEnvironment en data.all.

09 Nov 2024, 02:15

Type	Values Removed	Values Added
References		() https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c -

09 Nov 2024, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-09 01:15

Updated : 2025-09-19 14:18

NVD link : CVE-2024-52313

Mitre link : CVE-2024-52313

CVE.ORG link : CVE-2024-52313

JSON object : View

Products Affected

amazon

data.all

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-52313", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-09T01:15:05.363", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all."}, {"lang": "es", "value": "Un usuario autenticado de data.all puede manipular una consulta getDataset para obtener informaci\u00f3n adicional sobre el recurso Environment principal que de otro modo no podr\u00eda obtener consultando directamente el objeto a trav\u00e9s de getEnvironment en data.all."}], "lastModified": "2025-09-19T14:18:22.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:data.all:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40A41C20-B492-4201-8487-8BE4B262F770", "versionEndExcluding": "2.6.1", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}