Vulnerability Description
AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Aws-Dataall | >= 1.2.0, <= 1.5.1 |
Related Weaknesses (CWE)
References
- https://github.com/awslabs/aws-dataall/pull/472Patch
- https://github.com/awslabs/aws-dataall/releases/tag/v1.5.2Release Notes
- https://github.com/awslabs/aws-dataall/releases/tag/v1.5.4Release Notes
- https://github.com/awslabs/aws-dataall/security/advisories/GHSA-m922-chh7-8qcrVendor Advisory
- https://github.com/awslabs/aws-dataall/pull/472Patch
- https://github.com/awslabs/aws-dataall/releases/tag/v1.5.2Release Notes
- https://github.com/awslabs/aws-dataall/releases/tag/v1.5.4Release Notes
- https://github.com/awslabs/aws-dataall/security/advisories/GHSA-m922-chh7-8qcrVendor Advisory
FAQ
What is CVE-2023-36467?
CVE-2023-36467 is a vulnerability with a CVSS score of 8.0 (HIGH). AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a us...
How severe is CVE-2023-36467?
CVE-2023-36467 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-36467?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Aws-Dataall.