CVE-2024-52313— data.all authenticated users can obtain incorrect object level authorizations
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-52313
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
data.all authenticated users can obtain incorrect object level authorizations
Source: NVD (National Vulnerability Database)
Vulnerability Description
An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
data.all 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
data.all是data-dot-all开源的一个开源开发框架。 data.all存在安全漏洞,该漏洞源于经过身份验证的 data.all 用户能够操作 getDataset 查询来获取有关父环境资源的其他信息,而用户原本无法通过 data.all 中的 getEnvironment 直接查询对象来获取这些信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-52313
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-52313
请登录查看更多情报信息。
Same Patch Batch · amazon · 2024-11-09 · 5 CVEs total
| CVE-2024-52311 | 6.3 MEDIUM | data.all does not invalidate authentication token upon user logout |
| CVE-2024-52312 | 5.4 MEDIUM | data.all authenticated users can perform restricted operations against DataSets and Enviro |
| CVE-2024-52314 | 4.9 MEDIUM | data.all admin user may access potentially sensitive data stored by producers via logs |
| CVE-2024-10953 | 4.3 MEDIUM | data.all authenticated users can perform mutating update operations on persisted notificat |
IV. Related Vulnerabilities
Same product: data.all
Same vendor: amazon
- CVE-2026-8178
Remote Code Execution via Unsafe Class Loading in Amazon Red - CVE-2026-7791
Amazon WorkSpaces 安全漏洞 - CVE-2026-6437
AWS EFS CSI Driver Mount Option Injection - CVE-2026-35558
Improper neutralization of special elements in authenticatio - CVE-2026-35559
Out-of-bounds write in query processing components in Amazon
Same weakness: CWE-639
- CVE-2026-8196
JeecgBoot mLogin Endpoint LoginController.java authorization - CVE-2026-42291
SysReptor: Read-write access to personal notes by sharing-li - CVE-2026-44400
MailEnable Enterprise Premium < 10.55 Authorization Bypass v - CVE-2026-42279
solidtime: Time entry update endpoint allows cross-organizat - CVE-2026-42277
Onyx: IDOR in /chat/file/{file_id} allows any authenticated
V. Comments for CVE-2024-52313
No comments yet