S3Proxy allows insecure path traversal in filesystem and filesystem-nio2 storage backends
Description
Published to the GitHub Advisory Database
Feb 3, 2025
Reviewed
Feb 3, 2025
Published by the National Vulnerability Database
Feb 3, 2025
Last updated
Feb 4, 2025
Impact
Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to authenticated clients.
Patches
Upgrade to S3Proxy 2.6.0 which includes apache/jclouds@b0819e0 and 86b6ee4749aa163a78e7898efc063617ed171980.
Workarounds
None
References
Privately reported by XBOW Team @xbow-security.
References