Home > Vulnerability Database > CVE-2023-51651

Mend.io Vulnerability Database

CVE-2023-51651

Good to know:

Date: December 22, 2023

AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the `buildEndpoint` method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The `buildEndpoint` method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed. This issue has been patched in version 3.288.1.

Language: PHP

Severity Score

6.0

Related Resources (7)

Url: https://github.com/aws/aws-sdk-php/releases/tag/3.288.1

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-51651

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/aws/aws-sdk-php/CVE-2023-51651.yaml

Url: https://github.com/aws/aws-sdk-php

Url: https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m

Url: https://github.com/aws/aws-sdk-php/commit/aebc9f801438746ac4ade327551576cb75f635f2

Url: https://www.mend.io/vulnerability-database/CVE-2023-51651

Severity Score

6.0

Weakness Type (CWE)

Path Traversal

CWE-22

Top Fix

Upgrade Version

Upgrade to version 3.288.1

Learn More

CVSS v3.1

Base Score:	6.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-51651

Good to know:

Date: December 22, 2023

Language: PHP

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?