CVE-2023-36467 HIGH

CVE-2023-36467: AWS data.all vulnerable to RCE through user injection of Python Commands

Vendor Awslabs

Product aws-dataall

Weakness CWE-94 · Code injection

Published June 28, 2023

Last update November 6, 2024

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

Description

AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around.

Key dates

Disclosure timeline

June 28, 2023 CVE published

November 6, 2024 Record updated