[
https://issues.apache.org/jira/browse/GOBBLIN-1943?focusedWorklogId=887897&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-887897
]
ASF GitHub Bot logged work on GOBBLIN-1943:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 30/Oct/23 16:34
Start Date: 30/Oct/23 16:34
Worklog Time Spent: 10m
Work Description: Will-Lo merged PR #3813:
URL: https://github.com/apache/gobblin/pull/3813
Issue Time Tracking
-------------------
Worklog Id: (was: 887897)
Time Spent: 20m (was: 10m)
> Bump AWS SDK version to patch security vulnerability
> ----------------------------------------------------
>
> Key: GOBBLIN-1943
> URL: https://issues.apache.org/jira/browse/GOBBLIN-1943
> Project: Apache Gobblin
> Issue Type: Improvement
> Reporter: William Lo
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In AWS Java SDK S3 there is a path traversal vulnerability that gets patched
> in 1.12.261.
> aws-java-sdk-s3 is vulnerable to path traversal. The vulnerability exists due
> to the insufficient guard logic used for the download directory in the
> {{leavesRoot}} function of {{{}TransferManager.java{}}}, allowing an attacker
> to access files from the S3 bucket that is one level up in the file system by
> evading the validation logic by adding a UNIX double-dot to the bucket key
> when the directory name prefix matches the destination director
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
