[
https://issues.apache.org/jira/browse/GOBBLIN-1943?focusedWorklogId=887658&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-887658
]
ASF GitHub Bot logged work on GOBBLIN-1943:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 27/Oct/23 23:11
Start Date: 27/Oct/23 23:11
Worklog Time Spent: 10m
Work Description: codecov-commenter commented on PR #3813:
URL: https://github.com/apache/gobblin/pull/3813#issuecomment-1783602149
We're currently processing your upload. This comment will be updated when
the results are available.
Issue Time Tracking
-------------------
Worklog Id: (was: 887658)
Remaining Estimate: 0h
Time Spent: 10m
> Bump AWS SDK version to patch security vulnerability
> ----------------------------------------------------
>
> Key: GOBBLIN-1943
> URL: https://issues.apache.org/jira/browse/GOBBLIN-1943
> Project: Apache Gobblin
> Issue Type: Improvement
> Reporter: William Lo
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In AWS Java SDK S3 there is a path traversal vulnerability that gets patched
> in 1.12.261.
> aws-java-sdk-s3 is vulnerable to path traversal. The vulnerability exists due
> to the insufficient guard logic used for the download directory in the
> {{leavesRoot}} function of {{{}TransferManager.java{}}}, allowing an attacker
> to access files from the S3 bucket that is one level up in the file system by
> evading the validation logic by adding a UNIX double-dot to the bucket key
> when the directory name prefix matches the destination director
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
