Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:36376
HistoryJul 18, 2022 - 4:33 a.m.

Path Traversal

2022-07-1804:33:11
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
148
vulnerability
path traversal
aws-java-sdk-s3
transfermanager.java
download directory
s3 bucket
validation logic
unix double-dot

EPSS

0.001

Percentile

19.7%

aws-java-sdk-s3 is vulnerable to path traversal. The vulnerability exists due to the insufficient guard logic used for the download directory in the leavesRoot function of TransferManager.java, allowing an attacker to access files from the S3 bucket that is one level up in the file system by evading the validation logic by adding a UNIX double-dot to the bucket key when the directory name prefix matches the destination directory.

Affected configurations

Vulners
Node
amazonaws-sdk-javaRange≤1.12.260
OR
amazonaws-sdk-javaRange≤1.12.260
VendorProductVersionCPE
amazonaws-sdk-java*cpe:2.3:a:amazon:aws-sdk-java:*:*:*:*:*:*:*:*

EPSS

0.001

Percentile

19.7%