CVE-2023-51651 — Path Traversal in AWS Software Development KIT

CWE-22 — Path Traversal8 documents5 sources

Severity

3.3LOWNVD

CNA6.0

EPSS

0.1%

top 70.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Amazon AWS Software Development KIT AWS Aws-sdk-php Github.com Beam-cloud Beta9

Timeline

PublishedDec 22

Latest updateFeb 2

Description

AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the `buildEndpoint` method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The `buildEndpoint` method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditio…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶NVDamazon/aws_software_development_kit< 3.288.1

▶Packagistaws/aws-sdk-php< 3.288.1

▶Gogithub.com/beam-cloud_beta90.0.0-20260116162221-c1cd75e813cf

▶CVEListV5aws/aws-sdk-php>= 3.0.0, < 3.288.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Beam Exposes sensitive information via joinCleanPath function in github.com/beam-cloud/beta9↗2026-02-02

▶

OSV

Beam Exposes sensitive information via joinCleanPath function↗2026-01-22

▶

OSV

CVE-2023-51651: AWS SDK for PHP is the Amazon Web Services software development kit for PHP↗2023-12-22

▶

CVEList

Potential URI resolution path traversal in the AWS SDK for PHP↗2023-12-22

▶

GHSA

Potential URI resolution path traversal in the AWS SDK for PHP↗2023-12-21

▶

🕵️Threat Intelligence

Wiz

GHSA-27qh-8cxx-2cr5 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶