Amazon CVE Vulnerabilities & CVE List (184)

Products (CPE): — CVEs: 184

Amazon vulnerability overview

Aggregates CVE and security vulnerability intelligence across all Amazon-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.

Disclosed issues often relate to vendor risk path handling, vendor risk cross-site scripting, and vendor risk input validation; exposure may include vendor impact memory corruption in vendor surface server deployment contexts.

Vulnerability distribution trend (last 24 months)

Showing 4160 of 184 CVEs
«« First « Prev Page 3 / 10 Next »
CVE Summary Source Max CVSS EPSS % Published Updated
CVE-2025-2887 During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. ff89ba41-3aa1-4d27-914a-91399e9639e5 5.7 0.27% 2025-03-27 2026-06-17
CVE-2025-2886 Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. ff89ba41-3aa1-4d27-914a-91399e9639e5 5.7 0.26% 2025-03-27 2026-06-17
CVE-2025-2885 Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. ff89ba41-3aa1-4d27-914a-91399e9639e5 5.7 0.29% 2025-03-27 2026-06-17
CVE-2025-2598 When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes. ff89ba41-3aa1-4d27-914a-91399e9639e5 5.7 0.26% 2025-03-21 2026-06-17
CVE-2025-23206 The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow. However, the current `tls.connect` method will always set `rejectUnauthorized: false` which is a potential security concern. CDK should follow the best practice and set `rejectUnauthorized: true`. Howe [email protected] 1.8 0.32% 2025-01-17 2026-06-17
CVE-2024-12746 A SQL injection in the Amazon Redshift ODBC Driver v2.1.5.0 (Windows or Linux) allows a user to gain escalated privileges via the SQLTables or SQLColumns Metadata APIs. Users are recommended to upgrade to the driver version 2.1.6.0 or revert to driver version 2.1.4.0. ff89ba41-3aa1-4d27-914a-91399e9639e5 8.6 0.45% 2024-12-24 2026-06-17
CVE-2024-12745 A SQL injection in the Amazon Redshift Python Connector v2.1.4 allows a user to gain escalated privileges via the get_schemas, get_tables, or get_columns Metadata APIs. Users are recommended to upgrade to the driver version 2.1.5 or revert to driver version 2.1.3. ff89ba41-3aa1-4d27-914a-91399e9639e5 8.6 0.51% 2024-12-24 2026-06-17
CVE-2024-12744 A SQL injection in the Amazon Redshift JDBC Driver in v2.1.0.31 allows a user to gain escalated privileges via the getSchemas, getTables, or getColumns Metadata APIs. Users should upgrade to the driver version 2.1.0.32 or revert to driver version 2.1.0.30. ff89ba41-3aa1-4d27-914a-91399e9639e5 8.6 0.57% 2024-12-24 2026-06-17
CVE-2024-55886 OpenSearch Data Prepper is a component of the OpenSearch project that accepts, filters, transforms, enriches, and routes data at scale. A vulnerability exists in the OpenTelemetry Logs source in Data Prepper starting inversion 2.1.0 and prior to version 2.10.2 where some custom authentication plugins will not perform authentication. This allows unauthorized users to ingest OpenTelemetry Logs data under certain conditions. This vulnerability does not affect the built-in `http_basic` authenticatio [email protected] 6.9 0.31% 2024-12-12 2026-06-17
CVE-2024-52314 A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data. ff89ba41-3aa1-4d27-914a-91399e9639e5 6.9 0.39% 2024-11-08 2026-06-17
CVE-2024-52313 An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by directly querying the object via getEnvironment in data.all. ff89ba41-3aa1-4d27-914a-91399e9639e5 5.3 0.27% 2024-11-08 2026-06-17
CVE-2024-52312 Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments. ff89ba41-3aa1-4d27-914a-91399e9639e5 5.3 0.33% 2024-11-08 2026-06-17
CVE-2024-52311 Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired. ff89ba41-3aa1-4d27-914a-91399e9639e5 5.3 0.46% 2024-11-08 2026-06-17
CVE-2024-10953 An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of. ff89ba41-3aa1-4d27-914a-91399e9639e5 5.3 0.31% 2024-11-08 2026-06-17
CVE-2024-45037 The AWS Cloud Development Kit (CDK) is an open-source framework for defining cloud infrastructure using code. Customers use it to create their own applications which are converted to AWS CloudFormation templates during deployment to a customer’s AWS account. CDK contains pre-built components called "constructs" that are higher-level abstractions providing defaults and best practices. This approach enables developers to use familiar programming languages to define complex cloud infrastructure mor [email protected] 6.4 0.31% 2024-08-27 2026-06-17
CVE-2024-6387 A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. [email protected] 8.1 99.51% 2024-07-01 2026-06-17
CVE-2024-38373 FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0 contain a buffer over-read issue in the DNS Response Parser when parsing domain names in a DNS response. A carefully crafted DNS response with domain name length value greater than the actual domain name length, could cause the parser to read beyond the DNS response buffer. This issue affects applications using DNS functionality of the FreeRTOS-Plus-TCP stack. Applications that do not use [email protected] 9.6 0.65% 2024-06-24 2026-06-17
CVE-2024-37293 The AWS Deployment Framework (ADF) is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, cross-region deployments of applications or resources via the structure defined in AWS Organizations while taking advantage of services such as AWS CodePipeline, AWS CodeBuild, and AWS CodeCommit to alleviate the heavy lifting and management compared to a traditional CI/CD setup. ADF contains a bootst [email protected] 7.5 0.15% 2024-06-11 2026-06-17
CVE-2024-28056 Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, and consequently sts:AssumeRoleWithWebIdentity would be available to threat actors with no conditions. Thus, if Amplify CLI had been used to remove the Authentication component from a project built between August 2019 and January [email protected] 9.8 1.67% 2024-04-15 2026-06-17
CVE-2024-28115 FreeRTOS is a real-time operating system for microcontrollers. FreeRTOS Kernel versions through 10.6.1 do not sufficiently protect against local privilege escalation via Return Oriented Programming techniques should a vulnerability exist that allows code injection and execution. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with Memory Protected Unit (MPU) support enabled (i.e. `configENABLE_MPU` set to 1). These issues are fixed in version 10.6.2 with a new MPU wrapper. [email protected] 8.8 0.24% 2024-03-07 2026-06-17
«« First « Prev Page 3 / 10 Next »
cvelogic Threat Intelligence