William Lo created GOBBLIN-1943:
-----------------------------------
Summary: Bump AWS SDK version to patch security vulnerability
Key: GOBBLIN-1943
URL: https://issues.apache.org/jira/browse/GOBBLIN-1943
Project: Apache Gobblin
Issue Type: Improvement
Reporter: William Lo
In AWS Java SDK S3 there is a path traversal vulnerability that gets patched in
1.12.261.
aws-java-sdk-s3 is vulnerable to path traversal. The vulnerability exists due
to the insufficient guard logic used for the download directory in the
{{leavesRoot}} function of {{{}TransferManager.java{}}}, allowing an attacker
to access files from the S3 bucket that is one level up in the file system by
evading the validation logic by adding a UNIX double-dot to the bucket key when
the directory name prefix matches the destination director
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
