CVE-2024-52314

data.all admin user may access potentially sensitive data stored by producers via logs

Description

A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.

Remediation

Solution:

  • A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.

Category

6.9
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.06%
Vendor Advisory amazon.com
Affected: amazon data.all
Published at:
Updated at:

References

Link Tags
https://aws.amazon.com/security/security-bulletins/AWS-2024-013 vendor advisory
https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h third party advisory

Frequently Asked Questions

What is the severity of CVE-2024-52314?
CVE-2024-52314 has been scored as a medium severity vulnerability.
How to fix CVE-2024-52314?
To fix CVE-2024-52314: A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.
Is CVE-2024-52314 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-52314 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-52314?
CVE-2024-52314 affects amazon data.all.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.