CVE-2022-31159 – Partial Path Traversal in com.amazonaws:aws-java-sdk-s3
https://notcve.org/view.php?id=CVE-2022-31159
The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the `destinationDirectory` argument, but S3 object keys are determined by the application that uploaded the objects. The `downloadDirectory` method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. • https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •