CVE-2023-36467— AWS data.all vulnerable to RCE through user injection of Python Commands

AWS data.all vulnerable to RCE through user injection of Python Commands

AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

AWS data.all 代码注入漏洞

AWS data.all是awslabs开源的一个开源开发框架。 AWS data.all 1.2.0至1.5.1版本存在代码注入漏洞，该漏洞源于允许经过身份验证的攻击者在配置数据管道时将 Python命令注入Template字段。

N/A

N/A