Vulnerability	Vulnerable Version
M Directory Traversal Affected versions of this package are vulnerable to Directory Traversal via the `downloadDirectory` method of the `TransferManager` component. Exploiting this vulnerability is possible due to improper input validation for key names in the `leavesRoot` function. Under certain conditions, this vulnerability could permit the attackers to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory. Note: The exploitation scope is limited to directories whose name prefix matches the `destinationDirectory`. E.g. for destination `directory/tmp/foo`, the actor can cause a download to `/tmp/foo-bar`, but not `/tmp/bar`. How to fix Directory Traversal? Upgrade `com.amazonaws:aws-java-sdk-s3` to version 1.12.261 or higher.	[,1.12.261)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the downloadDirectory method of the TransferManager component. Exploiting this vulnerability is possible due to improper input validation for key names in the leavesRoot function. Under certain conditions, this vulnerability could permit the attackers to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory.

Note: The exploitation scope is limited to directories whose name prefix matches the destinationDirectory. E.g. for destination directory/tmp/foo, the actor can cause a download to /tmp/foo-bar, but not /tmp/bar.

How to fix Directory Traversal?

Upgrade com.amazonaws:aws-java-sdk-s3 to version 1.12.261 or higher.

[,1.12.261)

Go back to all versions of this package