1 results (0.004 seconds)

CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 1

The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the `destinationDirectory` argument, but S3 object keys are determined by the application that uploaded the objects. The `downloadDirectory` method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. • https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •