Headline
CVE-2023-36467: data.all vulnerable to RCE through user injection of Python Commands
AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around.
Impact
data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. This is fixed in V1.5.2.
Patches
A fix for this issue is available in data.all version 1.5.2 and later.
Workarounds
There is no recommended work around. Customers are advised to upgrade to version 1.5.2 or the latest version of 1.5.4.
References
https://github.com/awslabs/aws-dataall/releases/tag/v1.5.4
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.