{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52311", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "state": "PUBLISHED", "assignerShortName": "AMZN", "dateReserved": "2024-11-06T21:02:34.355Z", "datePublished": "2024-11-09T00:42:49.246Z", "dateUpdated": "2024-11-12T15:18:52.220Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "data.all", "vendor": "amazon", "versions": [{"lessThanOrEqual": "2.6.0", "status": "affected", "version": "1.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.</p><br>"}], "value": "Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired."}], "impacts": [{"capecId": "CAPEC-633", "descriptions": [{"lang": "en", "value": "CAPEC-633 Token Impersonation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2024-11-09T00:55:17.946Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"}, {"tags": ["third-party-advisory"], "url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.</p><br>"}], "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."}], "source": {"discovery": "UNKNOWN"}, "title": "data.all does not invalidate authentication token upon user logout", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-12T15:18:38.020797Z", "id": "CVE-2024-52311", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T15:18:52.220Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52311", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-12T15:18:38.020797Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T15:18:44.982Z"}}], "cna": {"title": "data.all does not invalidate authentication token upon user logout", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-633", "descriptions": [{"lang": "en", "value": "CAPEC-633 Token Impersonation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "amazon", "product": "data.all", "versions": [{"status": "affected", "version": "1.0.0", "versionType": "semver", "lessThanOrEqual": "2.6.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.", "supportingMedia": [{"type": "text/html", "value": "<p>A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.</p><br>", "base64": false}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013", "tags": ["vendor-advisory"]}, {"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.", "supportingMedia": [{"type": "text/html", "value": "<p>Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2024-11-09T00:55:17.946Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52311", "state": "PUBLISHED", "dateUpdated": "2024-11-12T15:18:52.220Z", "dateReserved": "2024-11-06T21:02:34.355Z", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "datePublished": "2024-11-09T00:42:49.246Z", "assignerShortName": "AMZN"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired."}, {"lang": "es", "value": "Los tokens de autenticaci\u00f3n emitidos a trav\u00e9s de Cognito en data.all no se invalidan al cerrar la sesi\u00f3n, lo que permite que el usuario previamente autenticado contin\u00fae con la ejecuci\u00f3n de solicitudes API autorizadas hasta que el token caduque."}], "id": "CVE-2024-52311", "lastModified": "2024-11-12T13:56:54.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "LOW"}, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}, "published": "2024-11-09T01:15:04.133", "references": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v"}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}

{}