CVE-2022-31159: 
Java vulnerability analysis and mitigation

A partial-path traversal vulnerability (CVE-2022-31159) was discovered in the AWS SDK for Java v1, specifically affecting versions up to 1.12.260 of the com.amazonaws:aws-java-sdk-s3 package. The vulnerability exists within the downloadDirectory method in the AWS S3 TransferManager component, where insufficient validation of object key names could allow bypass of security controls (GitHub Advisory).

The vulnerability stems from insufficient protection against partial-path traversal in the leavesRoot method. The issue occurs when the result of parent.getCanonicalPath() is not slash-terminated, allowing for partial path traversal. For example, '/usr/outnot'.startsWith('/usr/out') check can be bypassed even though 'outnot' is not under the 'out' directory. The vulnerability has a CVSS v3.1 score of 7.9 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L (GitHub Advisory).

When the TransferManager::downloadDirectory method is used to download contents from untrusted buckets, an attacker could potentially write bucket contents outside of the intended destination directory. The scope is limited to directories whose name prefix matches the destinationDirectory. For example, with a destination directory '/tmp/foo', an attacker can cause a download to '/tmp/foo-bar', but not '/tmp/bar' (GitHub Advisory).

Users should upgrade to AWS SDK for Java version 1.12.261 or later to address this vulnerability. As a workaround, when calling TransferManager::downloadDirectory, implement a KeyFilter that forbids S3ObjectSummary objects whose getKey method returns a string containing the substring '..' (GitHub Advisory).