AWS SDK for Java S3 Component Partial Path Traversal Vulnerability

A partial path traversal vulnerability has been identified in the AWS SDK for Java S3 component, specifically in version 1.12.260 and prior. The issue arises in the TransferManager's downloadDirectory method, where the validation of S3 object keys can be bypassed. This allows a knowledgeable actor to include a UNIX double-dot in the key, potentially retrieving a directory from their S3 bucket that is one level up in the filesystem from their current working directory. The vulnerability is limited to directories that match the specified destinationDirectory prefix. If this method is used to download contents from an untrusted bucket, files can be written outside the intended destination directory.

Impact

Exploitation of this vulnerability can lead to unauthorized file writes outside the designated download directory, potentially overwriting critical files or disrupting application functionality.

Reproduction

To reproduce this vulnerability, use the AWS SDK for Java S3 TransferManager's downloadDirectory method. Specify a destinationDirectory and include a double-dot in the S3 object key to bypass the validation logic. This will allow the download of a directory that is one level up in the filesystem, writing the contents to a location outside the intended directory.

Remediation

Upgrade to AWS SDK for Java version 1.12.261 or later. If upgrading is not possible, use a KeyFilter to block S3ObjectSummary objects with keys containing double-dot substrings.