Main Vulnerability Database Vulnerabilities #VU73175

Path traversal in AWS SDK for Java - CVE-2022-31159

Published: March 8, 2023

Vulnerability identifier: #VU73175

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-31159

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Amazon Web Services

Affected software:
AWS SDK for Java

Detailed vulnerability description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the downloadDirectory() method in in the AWS S3 TransferManager component. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.

How to mitigate CVE-2022-31159

Install update from vendor's website.

Sources

https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3

Path traversal in AWS SDK for Java - CVE-2022-31159

Detailed vulnerability description

How to mitigate CVE-2022-31159

Sources

Please verify you're human