First published: Fri Jul 15 2022(Updated: )
AWS SDK for Java could allow a remote authenticated attacker to traverse directories on the system, caused by a flaw in the downloadDirectory method in the AWS S3 TransferManager component. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Disconnected Log Collector | <=v1.0 - v1.8.2 | |
Amazon Aws-sdk-java | <=1.12.260 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-31159.
The affected software is IBM Disconnected Log Collector version v1.0 - v1.8.2.
The severity of CVE-2022-31159 is high.
CVE-2022-31159 allows a remote authenticated attacker to traverse directories by exploiting a flaw in the downloadDirectory method in the AWS S3 TransferManager component.
An attacker can exploit CVE-2022-31159 by sending a specially-crafted URL request containing "dot dot" sequences (/../) to write arbitrary files.
Yes, you can find references for CVE-2022-31159 at the following links: [1] [2]