CVE-2024-52311 MEDIUM

CVE-2024-52311: data.all does not invalidate authentication token upon user logout

Vendor Amazon
Product data.all
Weakness CWE-613 · Insufficient session expiration
Published November 9, 2024
Last update October 14, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.

Key dates

02Disclosure timeline

November 9, 2024 CVE published
October 14, 2025 Record updated