CVE-2024-52311

Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Potential Mitigations

References

• https://aws.amazon.com/security/security-bulletins/AWS-2024-013
• https://github.com/data-dot-all/dataall/releases/tag/v2.6.1
• https://github.com/data-dot-all/dataall/security/advisories/GHSA-p69m-h9rw-584v