Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-51651

AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the `buildEndpoint` method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The `buildEndpoint` method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed. This issue has been patched in version 3.288.1.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 6.0, requiring local system access to exploit with relatively low complexity without requiring user interaction . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), for affected systems. Impacting 1 product from amazon organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2023, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2023-12-22T21:15:09.700

Last Modified

2024-11-21T08:38:32.420

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.0 (MEDIUM)

Weaknesses

Type: Secondary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	amazon	aws_software_development_kit	< 3.288.1	Yes

References

https://github.com/aws/aws-sdk-php/commit/aebc9f801438746ac4ade327551576cb75f635f2 Patch ([email protected])
https://github.com/aws/aws-sdk-php/releases/tag/3.288.1 Release Notes ([email protected])
https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m Third Party Advisory ([email protected])
https://github.com/aws/aws-sdk-php/commit/aebc9f801438746ac4ade327551576cb75f635f2 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/aws/aws-sdk-php/releases/tag/3.288.1 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For amazon's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.