CVE-2022-31159
Path Traversal vulnerability in aws-java-sdk-s3 (Maven)
What is CVE-2022-31159 About?
A partial-path traversal vulnerability exists in the AWS S3 TransferManager component of the AWS SDK for Java v1, affecting versions before 1.12.261. An attacker can craft S3 object keys with UNIX double-dots (`..`) to bypass validation logic in `downloadDirectory`, allowing files to be written outside the intended destination directory. Exploitation requires the use of untrusted S3 bucket contents and can achieve limited directory traversal.
Affected Software
Technical Details
The com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory method in the AWS SDK for Java v1 is vulnerable to partial-path traversal. The leavesRoot validation function, intended to prevent path traversal, has an insufficient check. Specifically, it fails to correctly handle cases where parent.getCanonicalPath() does not end with a slash, allowing strings like /../foo-bar/bar to bypass the startsWith check, even though the resulting path is outside the intended root. While the application controls destinationDirectory, the key (S3 object name) is attacker-controlled. By including a UNIX double-dot (..) in the key, an attacker can get files written to a directory one level up that shares a name prefix with the destinationDirectory (e.g., from /tmp/foo to /tmp/foo-bar).
What is the Impact of CVE-2022-31159?
Successful exploitation may allow attackers to write arbitrary files to locations outside the intended download directory, potentially leading to overwriting critical system files, injecting malicious executables, or data leakage from unintended directories.
What is the Exploitability of CVE-2022-31159?
Exploitation is of moderate complexity. No authentication or specific privileges beyond typical S3 bucket access are required for the attacker to upload malicious keys. The attack is remote, as it relies on uploading specially crafted object keys to an S3 bucket that is then downloaded by a vulnerable application. The primary prerequisite is that the application uses com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory to download contents from an untrusted S3 bucket. The scope is limited to directories with a matching name prefix, which is a constraining factor. The existence of a proof of concept increases the likelihood of real-world exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| shoucheng3 | Link | PoC for CVE-2022-31159 |
What are the Available Fixes for CVE-2022-31159?
Available Upgrade Options
- com.amazonaws:aws-java-sdk-s3
- <1.12.261 → Upgrade to 1.12.261
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-31159
- https://github.com/aws/aws-sdk-java
- https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3
- https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3
- https://osv.dev/vulnerability/GHSA-c28r-hw5m-5gv3
- https://github.com/aws/aws-sdk-java/commit/cb66c50c885566d9a7fce837a68dc48ddced8a9a
What are Similar Vulnerabilities to CVE-2022-31159?
Similar Vulnerabilities: CVE-2022-23457 , CVE-2021-4118 , CVE-2021-29425 , CVE-2018-1000180 , CVE-2020-13936
