Impact
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.
Impacted versions: v1.0.0 - 2.6.0
Patches
A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later and ensure any forked or derivative code are patched to incorporate the new fixes.
Workarounds
There is no recommended work around. Customers are advised to upgrade to version 2.6.1 or the latest version.
References
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
Impact
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.
Impacted versions: v1.0.0 - 2.6.0
Patches
A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later and ensure any forked or derivative code are patched to incorporate the new fixes.
Workarounds
There is no recommended work around. Customers are advised to upgrade to version 2.6.1 or the latest version.
References
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting