CVE-2022-31159

The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the downloadDirectory method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the...

0.workspace (>=0.1.0 <=0.1.1), 18a58t9c-upload (>=1.0.0 <=1.0.3) +17981 more potentially affected by unknown CVE via aws-sdk (>=2.0.11 <=2.9.0)

aws-sdk NPM version =2.0.11, =0.1.0, =1.0.0, =0.21.0, =1.0.0, =1.0.0, =0.1.0, =3.6.0, =0.0.2, =0.3.0, =0.1.0, =0.5.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-J965-2QGJ-VJMQ...

EUVD-2023-36976

Malicious code in bioql PyPI...

EUVD-2022-7612

Malicious code in bioql PyPI...

CVE-2022-4725

A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java of the component XML Parser. The manipulation leads to server-side request forgery. Upgrading to...

GHSA-RV78-QQRQ-73M5 Directus's S3 assets become unavailable after a burst of HEAD requests

Summary There's some tools that use Directus to sync content and assets. Some of those tools use HEAD method, like Shopify, to check the existence of files. Although, when making many HEAD requests at once, at some point, all assets are being served as 403. Details When I was investigating this...

Directus's S3 assets become unavailable after a burst of malformed transformations

Summary When making many malformed transformation requests at once, at some point, all assets are being served as 403. Details When I was investigating this issue, I have found that after a burst of malformed asset transformation requests, the amount of sockets held on Agent on NodeHttpHandler wa...

GHSA-J8XJ-7JFF-46MX Directus's S3 assets become unavailable after a burst of malformed transformations

Summary When making many malformed transformation requests at once, at some point, all assets are being served as 403. Details When I was investigating this issue, I have found that after a burst of malformed asset transformation requests, the amount of sockets held on Agent on NodeHttpHandler wa...

CVE-2025-0508 MD5 Hash Collision in SageMaker Workflow in aws/sagemaker-python-sdk

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This...

[SECURITY] Fedora 41 Update: golang-github-aws-sdk-2-20250103-1.fc41

AWS SDK for the Go programming language...

MAL-2024-11257 Malicious code in @aws-sdk-examples/libs (npm)

--- -= Per source details. Do not edit below this line.=-...

Path traversal

AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the buildEndpoint method in the RestSerializer component of the AWS SDK f...

CVE-2023-51651 Potential URI resolution path traversal in the AWS SDK for PHP

AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the buildEndpoint method in the RestSerializer component of the AWS SDK f...

CVE-2023-51651 Potential URI resolution path traversal in the AWS SDK for PHP

AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the buildEndpoint method in the RestSerializer component of the AWS SDK f...

GHSA-557V-XCG6-RM5M Potential URI resolution path traversal in the AWS SDK for PHP

Impact Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in thebuildEndpoint method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The buildEndpoint method relies on the Guzz...

Input validation

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. OpenTelemetry Java Instrumentation prior to version 1.28.0 contains an issue related to the instrumentation of Java applications using the AWS SDK v2 with Amazon Simple Email...

CVE-2023-39951

CVE-2023-39951 affects OpenTelemetry Java Instrumentation prior to 1.28.0. When instrumenting AWS SDK v2 calls to SES v1, the request query parameters are inserted into the trace url.path, causing the HTTP body (subject and message) to be exposed in telemetry backends. This information disclosure...

Cross-Site Scripting (XSS)

github.com/pydio/cells is vulnerable to Cross-Site Scripting XSS attacks. The Amazon AWS SDK for JavaScript is used to create presigned URLs for Pydio Cells. It is feasible to create valid signatures for any download URLs since the secrets required to sign these URLs are hardcoded and made...

Security Bulletin: There is a security vulnerability in AWS SDK for Java used by Maximo Asset Management (CVE-2022-31159)

Summary There is a security vulnerability in AWS SDK for Java used by Maximo Asset Management. This only affects systems configured to store attachments in a Simple Storage Service S3 cloud object storage. Vulnerability Details CVEID:CVE-2022-31159 DESCRIPTION: AWS SDK for Java could allow a remo...

CVE-2023-32751

Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript 1. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it i...