PT-2025-13791 · Amazon Web Services · Aws Sam Cli
Published
2025-03-31
·
Updated
2025-03-31
·
CVE-2025-3048
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
AWS Serverless Application Model Command Line Interface (SAM CLI) versions prior to 1.134.0
Description
The issue arises when a build is completed with AWS Serverless Application Model Command Line Interface (SAM CLI) that includes symlinks. The content of these symlinks is copied to the cache of the local workspace as regular files or directories. This results in a user gaining access to the symlinks via the local workspace, even if they do not have access outside of the Docker container.
Recommendations
For versions prior to 1.134.0, upgrade to version 1.134.0 and ensure any forked or derivative code is patched to incorporate the new fixes. After upgrading, re-build applications using the
sam build --use-container command to update the symlinks.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Aws Sam Cli