Impact
data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. This is fixed in V1.5.2.
Patches
A fix for this issue is available in data.all version 1.5.2 and later.
Workarounds
There is no recommended work around. Customers are advised to upgrade to version 1.5.2 or the latest version of 1.5.4.
References
https://github.com/awslabs/aws-dataall/releases/tag/v1.5.4
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Impact
data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. This is fixed in V1.5.2.
Patches
A fix for this issue is available in data.all version 1.5.2 and later.
Workarounds
There is no recommended work around. Customers are advised to upgrade to version 1.5.2 or the latest version of 1.5.4.
References
https://github.com/awslabs/aws-dataall/releases/tag/v1.5.4
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.