CVE-2024-52311
📋 TL;DR
This vulnerability in data.all's AWS Cognito integration allows authentication tokens to remain valid after user logout, enabling continued access to authorized API endpoints until token expiration. It affects all data.all deployments using Cognito authentication that haven't been patched.
💻 Affected Systems
- data.all
📦 What is this software?
Data.all by Amazon
⚠️ Risk & Real-World Impact
Worst Case
An attacker with stolen or intercepted tokens could maintain persistent unauthorized access to sensitive data and perform privileged operations until token expiration (typically hours to days).
Likely Case
Legitimate users who logged out but whose tokens were captured could have their sessions hijacked, leading to unauthorized data access and API calls.
If Mitigated
With proper network segmentation and short token lifetimes, impact is limited to potential unauthorized access within the token validity window.
🎯 Exploit Status
Exploitation requires obtaining valid authentication tokens through interception, theft, or legitimate user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.6.1
Vendor Advisory: https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v
Restart Required: Yes
Instructions:
1. Backup current deployment. 2. Update data.all to version 2.6.1 or later. 3. Restart all data.all services. 4. Verify token invalidation is working.
🔧 Temporary Workarounds
Reduce Token Lifetime
allConfigure AWS Cognito to issue tokens with shorter expiration times to limit exposure window
aws cognito-idp update-user-pool --user-pool-id YOUR_POOL_ID --token-validity-units AccessToken=hours IdToken=hours --access-token-validity 1 --id-token-validity 1
🧯 If You Can't Patch
- Implement API gateway or WAF rules to detect and block suspicious token reuse patterns
- Deploy additional authentication layers (MFA, IP restrictions) for sensitive operations
🔍 How to Verify
Check if Vulnerable:
Check if data.all version is below 2.6.1 and uses AWS Cognito authentication. Test by logging in, copying token, logging out, and attempting API calls with the token.Check Version:
docker exec dataall_core python -c "import dataall; print(dataall.__version__)"Verify Fix Applied:
After patching, repeat the test: tokens should be invalidated immediately after logout and API calls should return 401 Unauthorized.📡 Detection & Monitoring
Log Indicators:
- Multiple API requests from same token after logout event
- Token reuse from different IP addresses
- Extended session duration beyond normal patterns
Network Indicators:
- API calls with tokens that should be invalidated
- Unusual token refresh patterns
SIEM Query:
source="dataall" AND (event="api_call" AND token_issued_time < logout_time) OR (event="logout" AND subsequent api_calls WITH same_token)