CVE-2023-51651

Name of the Vulnerable Software and Affected Versions AWS SDK for PHP versions prior to 3.288.1

Description A URI path traversal issue exists in the AWS SDK for PHP, specifically within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot. This issue is possible due to the buildEndpoint method in the RestSerializer component relying on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed.

Recommendations Upgrade to the AWS SDK for PHP version 3.288.1 or later, if you are on a version prior to 3.288.1. As a temporary workaround, consider restricting access to S3 object keys and/or prefixes containing a Unix double-dot until the issue is resolved. Additionally, be cautious when using the buildEndpoint method in the RestSerializer component to minimize the risk of exploitation.