CVE-2024-52314

A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/AWS-2024-013	Vendor Advisory
https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:data.all:*:*:*:*:*:*:*:*

History

19 Sep 2025, 14:18

Type	Values Removed	Values Added
References	~~() https://aws.amazon.com/security/security-bulletins/AWS-2024-013 -~~	() https://aws.amazon.com/security/security-bulletins/AWS-2024-013 - Vendor Advisory
References	~~() https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h -~~	() https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h - Vendor Advisory
First Time		Amazon Amazon data.all
CPE		cpe:2.3:a:amazon:data.all::::::::

12 Nov 2024, 13:56

Type	Values Removed	Values Added
Summary		(es) Un miembro del equipo de administración de data.all que tenga acceso a la cuenta de AWS propiedad del cliente donde se implementa data.all puede extraer datos de usuario de los registros de la aplicación data.all en data.all a través del escaneo de registros de CloudWatch para operaciones particulares que interactúan con los datos de los equipos productores del cliente.

09 Nov 2024, 02:15

Type	Values Removed	Values Added
References		() https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h -

09 Nov 2024, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-09 01:15

Updated : 2025-09-19 14:18

NVD link : CVE-2024-52314

Mitre link : CVE-2024-52314

CVE.ORG link : CVE-2024-52314

JSON object : View

Products Affected

amazon

data.all

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-52314", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-09T01:15:05.863", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data."}, {"lang": "es", "value": "Un miembro del equipo de administraci\u00f3n de data.all que tenga acceso a la cuenta de AWS propiedad del cliente donde se implementa data.all puede extraer datos de usuario de los registros de la aplicaci\u00f3n data.all en data.all a trav\u00e9s del escaneo de registros de CloudWatch para operaciones particulares que interact\u00faan con los datos de los equipos productores del cliente."}], "lastModified": "2025-09-19T14:18:08.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:data.all:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40A41C20-B492-4201-8487-8BE4B262F770", "versionEndExcluding": "2.6.1", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}