CVE-2022-31159 – A partial-path traversal vulnerability in AWS S... (How to Fix)

Q: What is the severity of CVE-2022-31159?

CVE-2022-31159 has a CVSS score of 7.9 (HIGH). A partial-path traversal vulnerability in AWS SDK for Java v1 allows attackers to write S3 bucket contents outside the intended destination directory when using the downloadDirectory method. This affects Java applications that download from untrusted S3 buckets using vulnerable SDK versions. The issue is limited to directory names matching the destination prefix.

📋 TL;DR

A partial-path traversal vulnerability in AWS SDK for Java v1 allows attackers to write S3 bucket contents outside the intended destination directory when using the downloadDirectory method. This affects Java applications that download from untrusted S3 buckets using vulnerable SDK versions. The issue is limited to directory names matching the destination prefix.

💻 Affected Systems

Products:

AWS SDK for Java

Versions: All versions prior to 1.12.261

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using TransferManager.downloadDirectory() method with untrusted S3 buckets.

📦 What is this software?

Aws Sdk Java by Amazon

View all CVEs affecting Aws Sdk Java →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary file write to parent directories, potentially leading to system compromise, data exfiltration, or denial of service through critical file overwrites.

🟠

Likely Case

Unauthorized file writes to adjacent directories, potentially exposing sensitive data or disrupting application functionality.

🟢

If Mitigated

Limited impact with proper bucket trust controls and validation, restricting writes to intended directories only.

🌐 Internet-Facing: MEDIUM - Requires application to download from untrusted S3 buckets, which is less common for internet-facing services.

🏢 Internal Only: MEDIUM - Internal applications downloading from untrusted sources could be affected, but requires specific conditions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker control over S3 object keys and application downloading from untrusted bucket.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.261

Vendor Advisory: https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3

Restart Required: Yes

Instructions:

1. Update AWS SDK for Java dependency to version 1.12.261 or later. 2. Update pom.xml or build.gradle to reference new version. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

KeyFilter workaround

all

Implement a KeyFilter that rejects S3 object keys containing '..' substring

KeyFilter filter = summary -> !summary.getKey().contains("..");
TransferManager tm = new TransferManager(s3Client);
MultipleFileDownload download = tm.downloadDirectory(bucketName, keyPrefix, destinationDir, filter);

🧯 If You Can't Patch

Only download from trusted S3 buckets with controlled object keys
Implement additional validation of S3 object keys before passing to downloadDirectory()

🔍 How to Verify

Check if Vulnerable:

Check if application uses AWS SDK for Java v1 <1.12.261 and calls TransferManager.downloadDirectory() with potentially untrusted S3 buckets.

Check Version:

mvn dependency:tree | grep aws-java-sdk OR gradle dependencies | grep aws-java-sdk

Verify Fix Applied:

Verify AWS SDK version is 1.12.261+ and test downloadDirectory with malicious '..' keys to confirm rejection.

📡 Detection & Monitoring

Log Indicators:

Failed file writes outside expected directories
S3 download operations with unusual key patterns

Network Indicators:

Unexpected S3 download patterns from untrusted sources

SIEM Query:

source="application_logs" AND ("downloadDirectory" OR "TransferManager") AND (".." OR "path traversal")

📊 Metadata

CVE ID: CVE-2022-31159

CVSS v3 Score: 7.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-22

Published: July 15, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3 Exploit,Third Party Advisory
https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31159, you might also want to check these: