CVE-2022-31159: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aws aws-sdk-java
The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the `destinationDirectory` argument, but S3 object keys are determined by the application that uploaded the objects. The `downloadDirectory` method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. Under certain conditions, this could permit them to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory. This issue’s scope is limited to directories whose name prefix matches the destinationDirectory. E.g. for destination directory`/tmp/foo`, the actor can cause a download to `/tmp/foo-bar`, but not `/tmp/bar`. If `com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory` is used to download an untrusted buckets contents, the contents of that bucket can be written outside of the intended destination directory. Version 1.12.261 contains a patch for this issue. As a workaround, when calling `com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory`, pass a `KeyFilter` that forbids `S3ObjectSummary` objects that `getKey` method return a string containing the substring `..` .
AI Analysis
Technical Summary
CVE-2022-31159 is a path traversal vulnerability identified in the AWS SDK for Java, specifically within the S3 TransferManager component's downloadDirectory method in versions prior to 1.12.261. This SDK is widely used by Java developers to interact with Amazon Web Services, particularly for managing S3 buckets and objects. The vulnerability arises because the downloadDirectory method inadequately validates the S3 object keys when downloading content from a bucket to a local filesystem directory. While the application controls the destination directory, the keys of objects in the S3 bucket are determined by whoever uploaded them. A malicious actor can exploit this by including UNIX double-dot sequences ('..') in the object keys, which the existing validation logic fails to properly restrict. This allows the attacker to cause files to be written outside the intended destination directory, specifically to directories with names that share a prefix with the destination directory (e.g., if the destination is /tmp/foo, files could be written to /tmp/foo-bar but not to unrelated directories like /tmp/bar). The impact is limited to the scope of directories with matching prefixes, but it still enables unauthorized file writes outside the designated folder. The vulnerability does not require authentication to exploit if the attacker can upload or control objects in the S3 bucket being downloaded, and no user interaction is necessary beyond invoking the vulnerable method. AWS patched this issue in version 1.12.261. As a workaround, developers can apply a KeyFilter to exclude any S3 object keys containing '..' to prevent path traversal during downloads. No known exploits in the wild have been reported to date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to applications that use the vulnerable AWS SDK for Java versions to download content from S3 buckets, especially if those buckets contain untrusted or externally controlled objects. The unauthorized file writes outside the intended directory could lead to overwriting or injecting malicious files into sensitive filesystem locations, potentially compromising application integrity or enabling further attacks such as code execution or privilege escalation. While the scope is somewhat limited by the directory prefix constraint, it still represents a significant risk to data integrity and system stability. Confidentiality impact is moderate since the vulnerability does not directly expose data but could facilitate indirect data manipulation or leakage if combined with other vulnerabilities. Availability could be affected if critical files are overwritten or corrupted. Given the widespread use of AWS services across European enterprises, especially in sectors like finance, manufacturing, and public services, exploitation could disrupt critical business operations or lead to compliance violations under GDPR if data integrity is compromised. The absence of known exploits suggests the threat is currently low but the vulnerability should be treated seriously due to the potential for misuse in supply chain or insider threat scenarios.
Mitigation Recommendations
1. Upgrade the AWS SDK for Java to version 1.12.261 or later, which contains the official patch addressing this path traversal vulnerability. 2. If immediate upgrade is not feasible, implement the recommended workaround by applying a KeyFilter in the downloadDirectory method to reject any S3 object keys containing the substring '..', effectively blocking path traversal attempts. 3. Audit and restrict who can upload objects to S3 buckets accessed by the vulnerable SDK to minimize the risk of malicious keys being introduced. 4. Implement strict IAM policies and bucket policies to limit write permissions to trusted users and services only. 5. Monitor application logs for unusual file writes outside expected directories and set up alerts for suspicious path traversal patterns. 6. Conduct regular code reviews and static analysis on applications using the AWS SDK to detect unsafe usage of file system operations. 7. Educate developers about secure handling of external input, especially when interacting with cloud storage APIs, to prevent similar vulnerabilities. 8. Consider sandboxing or running the download operations with least privilege to limit the impact of any unauthorized file writes.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Ireland, Italy, Spain
CVE-2022-31159: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aws aws-sdk-java
Description
The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the `destinationDirectory` argument, but S3 object keys are determined by the application that uploaded the objects. The `downloadDirectory` method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. Under certain conditions, this could permit them to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory. This issue’s scope is limited to directories whose name prefix matches the destinationDirectory. E.g. for destination directory`/tmp/foo`, the actor can cause a download to `/tmp/foo-bar`, but not `/tmp/bar`. If `com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory` is used to download an untrusted buckets contents, the contents of that bucket can be written outside of the intended destination directory. Version 1.12.261 contains a patch for this issue. As a workaround, when calling `com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory`, pass a `KeyFilter` that forbids `S3ObjectSummary` objects that `getKey` method return a string containing the substring `..` .
AI-Powered Analysis
Technical Analysis
CVE-2022-31159 is a path traversal vulnerability identified in the AWS SDK for Java, specifically within the S3 TransferManager component's downloadDirectory method in versions prior to 1.12.261. This SDK is widely used by Java developers to interact with Amazon Web Services, particularly for managing S3 buckets and objects. The vulnerability arises because the downloadDirectory method inadequately validates the S3 object keys when downloading content from a bucket to a local filesystem directory. While the application controls the destination directory, the keys of objects in the S3 bucket are determined by whoever uploaded them. A malicious actor can exploit this by including UNIX double-dot sequences ('..') in the object keys, which the existing validation logic fails to properly restrict. This allows the attacker to cause files to be written outside the intended destination directory, specifically to directories with names that share a prefix with the destination directory (e.g., if the destination is /tmp/foo, files could be written to /tmp/foo-bar but not to unrelated directories like /tmp/bar). The impact is limited to the scope of directories with matching prefixes, but it still enables unauthorized file writes outside the designated folder. The vulnerability does not require authentication to exploit if the attacker can upload or control objects in the S3 bucket being downloaded, and no user interaction is necessary beyond invoking the vulnerable method. AWS patched this issue in version 1.12.261. As a workaround, developers can apply a KeyFilter to exclude any S3 object keys containing '..' to prevent path traversal during downloads. No known exploits in the wild have been reported to date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to applications that use the vulnerable AWS SDK for Java versions to download content from S3 buckets, especially if those buckets contain untrusted or externally controlled objects. The unauthorized file writes outside the intended directory could lead to overwriting or injecting malicious files into sensitive filesystem locations, potentially compromising application integrity or enabling further attacks such as code execution or privilege escalation. While the scope is somewhat limited by the directory prefix constraint, it still represents a significant risk to data integrity and system stability. Confidentiality impact is moderate since the vulnerability does not directly expose data but could facilitate indirect data manipulation or leakage if combined with other vulnerabilities. Availability could be affected if critical files are overwritten or corrupted. Given the widespread use of AWS services across European enterprises, especially in sectors like finance, manufacturing, and public services, exploitation could disrupt critical business operations or lead to compliance violations under GDPR if data integrity is compromised. The absence of known exploits suggests the threat is currently low but the vulnerability should be treated seriously due to the potential for misuse in supply chain or insider threat scenarios.
Mitigation Recommendations
1. Upgrade the AWS SDK for Java to version 1.12.261 or later, which contains the official patch addressing this path traversal vulnerability. 2. If immediate upgrade is not feasible, implement the recommended workaround by applying a KeyFilter in the downloadDirectory method to reject any S3 object keys containing the substring '..', effectively blocking path traversal attempts. 3. Audit and restrict who can upload objects to S3 buckets accessed by the vulnerable SDK to minimize the risk of malicious keys being introduced. 4. Implement strict IAM policies and bucket policies to limit write permissions to trusted users and services only. 5. Monitor application logs for unusual file writes outside expected directories and set up alerts for suspicious path traversal patterns. 6. Conduct regular code reviews and static analysis on applications using the AWS SDK to detect unsafe usage of file system operations. 7. Educate developers about secure handling of external input, especially when interacting with cloud storage APIs, to prevent similar vulnerabilities. 8. Consider sandboxing or running the download operations with least privilege to limit the impact of any unauthorized file writes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf6717
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/22/2025, 12:11:50 AM
Last updated: 8/15/2025, 4:54:23 AM
Views: 25
Related Threats
CVE-2025-54475: CWE-89: Improper Neutralization of Special Elements used in an SQL Command in joomsky.com JS Jobs component for Joomla
HighCVE-2025-54474: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in dj-extensions.com DJ-Classifieds component for Joomla
HighCVE-2025-54473: CWE-434 Unrestricted Upload of File with Dangerous Type in phoca.cz phoca.cz - Phoca Commander for Joomla
CriticalCVE-2025-9050: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9047: SQL Injection in projectworlds Visitor Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.