CVE-2022-31159

Name of the Vulnerable Software and Affected Versions AWS SDK for Java versions prior to 1.12.261

Description A partial-path traversal issue exists within the downloadDirectory method in the AWS S3 TransferManager component of the AWS SDK for Java. This issue allows a knowledgeable actor to bypass the validation logic by including a UNIX double-dot in the bucket key, potentially permitting them to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory. The scope of this issue is limited to directories whose name prefix matches the destinationDirectory. For example, for a destination directory /tmp/foo, the actor can cause a download to /tmp/foo-bar, but not /tmp/bar. If com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory is used to download an untrusted bucket's contents, the contents of that bucket can be written outside of the intended destination directory.

Recommendations For versions prior to 1.12.261, upgrade to version 1.12.261 or later to resolve the issue. As a temporary workaround, when calling com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory, pass a KeyFilter that forbids S3ObjectSummary objects that getKey method return a string containing the substring ...