CVE-2024-52313 MEDIUM

CVE-2024-52313: data.all authenticated users can obtain incorrect object level authorizations

Vendor Amazon
Product data.all
Weakness CWE-639 · IDOR
Published November 9, 2024
Last update October 14, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all.

Key dates

02Disclosure timeline

November 9, 2024 CVE published
October 14, 2025 Record updated