awscli is vulnerable to Path Traversal
59
Medium Risk
awscli guards S3 downloads against object keys that escape the destination directory by warning and skipping any key that references a parent directory. The escape check normalizes the compare key without anchoring it to the destination root, so a key with a leading slash such as /../foo collapses the parent segment and slips past the check. Downloading or syncing from a bucket that contains such crafted keys then writes files outside the intended destination directory. The fix anchors the key against the destination root before normalization so leading-slash parent references are correctly detected and skipped.
You are affected if you are using a version that falls within the vulnerable range and you download or sync objects from an untrusted S3 bucket whose object keys can be attacker-controlled.
awscli is vulnerable to Path Traversal in versions 1.12.0 - 1.45.17.
Upgrade the awscli library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant