CVE-2024-52313
📋 TL;DR
This vulnerability allows authenticated data.all users to bypass intended access controls by manipulating dataset queries to retrieve sensitive environment information they shouldn't have access to. It affects data.all deployments where users have authenticated access but limited permissions. The issue is an authorization bypass through user-controlled key.
💻 Affected Systems
- data.all
📦 What is this software?
Data.all by Amazon
⚠️ Risk & Real-World Impact
Worst Case
Privileged users could access sensitive environment configuration data, potentially exposing credentials, connection strings, or other confidential infrastructure details that could lead to further compromise.
Likely Case
Users with limited permissions could access environment metadata they shouldn't see, potentially learning about other environments, configurations, or gaining insights for lateral movement.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure of non-critical environment metadata.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of GraphQL query manipulation
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.6.1
Vendor Advisory: https://github.com/data-dot-all/dataall/security/advisories/GHSA-hx8q-7wxv-6c7c
Restart Required: Yes
Instructions:
1. Backup your data.all instance. 2. Update to v2.6.1 using your deployment method (Docker, Kubernetes, etc.). 3. Restart the data.all services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict User Permissions
allTighten user permissions to minimize potential impact while awaiting patch
Monitor GraphQL Queries
allImplement logging and monitoring for unusual getDataset query patterns
🧯 If You Can't Patch
- Implement strict access controls and principle of least privilege for all users
- Monitor and audit all GraphQL queries, especially getDataset operations, for unusual patterns
🔍 How to Verify
Check if Vulnerable:
Check if your data.all version is below v2.6.1Check Version:
Check the data.all web interface admin panel or deployment configuration for version informationVerify Fix Applied:
Confirm version is v2.6.1 or higher and test that getDataset queries no longer return unauthorized environment data📡 Detection & Monitoring
Log Indicators:
- Unusual getDataset query patterns
- Multiple getDataset queries from single user in short time
- getDataset queries with unusual parameters
Network Indicators:
- GraphQL queries attempting to fetch environment data via dataset endpoints
SIEM Query:
source="dataall" AND (query="getDataset" AND parameters CONTAINS "environment")