cvedb.io
CVE-2022-31159
HIGH · CVSS 7.9
EPSS exploitation probability: 0%
Published 2022-07-15T18:15:09.037 · Last modified 2026-06-17T04:44:55.713

Summary

The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the `destinationDirectory` argument, but S3 object keys are determined by the application that uploaded the objects. The `downloadDirectory` method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. Under certain conditions, this could permit them to retrieve a directory from their S3 bucket that is one level up in the filesystem

Affected products

amazon — aws-sdk-java

Does this affect you?

Add your gear to cvedb and we'll alert you only when amazon ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.