CVE-2022-31159 Overview
A partial path traversal vulnerability exists in the AWS SDK for Java v1 prior to version 1.12.261. The vulnerability resides within the downloadDirectory method of the AWS S3 TransferManager component, allowing attackers to bypass directory traversal validation and write files outside of the intended destination directory under specific conditions.
Critical Impact
Applications using the vulnerable TransferManager::downloadDirectory method to download untrusted S3 bucket contents could have files written outside the intended destination directory, potentially leading to unauthorized data access or file system manipulation.
Affected Products
- Amazon AWS SDK for Java versions prior to 1.12.261
Discovery Timeline
- 2022-07-15 - CVE-2022-31159 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-31159
Vulnerability Analysis
This vulnerability is classified as a partial-path traversal issue (CWE-22) affecting the S3 object download functionality in the AWS SDK for Java. The vulnerability exists because while applications control the destinationDirectory argument when calling downloadDirectory, the S3 object keys are determined by whoever uploaded the objects to the bucket. A flaw in the validation logic allows specially crafted object keys containing UNIX double-dot (..) sequences to partially escape the intended destination directory.
The scope of this vulnerability is limited but significant. For a destination directory like /tmp/foo, an attacker could potentially cause downloads to /tmp/foo-bar, but not to an entirely different path like /tmp/bar. This constraint limits exploitation to directories whose name prefix matches the configured destination directory.
Root Cause
The root cause lies in insufficient validation of S3 object key names within the downloadDirectory method. The validation logic intended to prevent directory traversal attacks contained a flaw that allowed UNIX double-dot (..) sequences to bypass the security checks. When S3 object keys containing these sequences are processed, the resulting filesystem path can resolve to a location one level up from the intended working directory.
Attack Vector
An attacker with the ability to upload objects to an S3 bucket that is subsequently downloaded using the vulnerable TransferManager::downloadDirectory method can exploit this vulnerability. The attack requires:
- Access to upload objects with malicious key names to an S3 bucket
- A victim application using AWS SDK for Java v1 prior to 1.12.261
- The victim application calling downloadDirectory on the attacker-controlled bucket
- A filesystem structure where the destination directory prefix matches an unintended target directory
The vulnerability is exploited by crafting S3 object keys that include .. path traversal sequences. When the SDK processes these keys during download, the validation bypass allows files to be written to directories that share a prefix with the intended destination.
Detection Methods for CVE-2022-31159
Indicators of Compromise
- Unexpected files appearing in directories that share a prefix with application download destinations
- S3 object keys in CloudTrail logs containing .. path traversal sequences
- Files downloaded from S3 appearing outside expected destination directories
- Application logs showing downloads to unexpected filesystem paths
Detection Strategies
- Audit application dependencies to identify AWS SDK for Java versions below 1.12.261
- Review CloudTrail logs for S3 GetObject operations with suspicious object key patterns
- Monitor filesystem activity for file creation in directories adjacent to S3 download destinations
- Implement runtime monitoring for path traversal patterns in S3 object metadata
Monitoring Recommendations
- Enable detailed logging for S3 TransferManager operations in applications
- Configure file integrity monitoring on directories adjacent to S3 download destinations
- Set up alerts for S3 bucket access patterns involving object keys with special characters
- Review application error logs for path-related exceptions during S3 downloads
How to Mitigate CVE-2022-31159
Immediate Actions Required
- Upgrade AWS SDK for Java to version 1.12.261 or later immediately
- Audit all applications using TransferManager::downloadDirectory to identify vulnerable deployments
- Review S3 bucket contents for objects with suspicious key names containing .. sequences
- Implement additional validation of S3 object keys before download operations
Patch Information
Amazon has addressed this vulnerability in AWS SDK for Java version 1.12.261. Organizations should update their dependencies to this version or later. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- When calling TransferManager::downloadDirectory, pass a KeyFilter that rejects S3ObjectSummary objects where getKey() returns a string containing the substring ..
- Implement application-level validation of S3 object keys before initiating downloads
- Restrict S3 bucket policies to only allow trusted principals to upload objects
- Use separate, isolated destination directories with unique prefixes for each download operation
// Workaround: Implement KeyFilter to block path traversal attempts
TransferManager transferManager = TransferManagerBuilder.standard().build();
KeyFilter safeKeyFilter = new KeyFilter() {
@Override
public boolean shouldInclude(S3ObjectSummary objectSummary) {
return !objectSummary.getKey().contains("..");
}
};
transferManager.downloadDirectory(bucketName, prefix, destinationDir, safeKeyFilter);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
