- Release Date: August 9, 2018
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Vulnerability Type: Environment Variable Injection
- Affected Versions: 3.18.28 and below
- Severity: High
- Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVE: CVE-2016-5385
The extension uses an old version of the third party library guzzlehttp/guzzle, which is known to be vulnerable against the HTTPOXY attack. Read https://www.symfony.fi/entry/httpoxy-vulnerability-hits-php-installations-using-fastcgi-and-php-fpm-and-hhvm or https://httpoxy.org/ for further details.
An updated version 3.18.30 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/aws_sdk_php/3.18.30/zip/.
Users of the extension are advised to update the extension as soon as possible.
Thanks to Michael Schams who discovered and reported the vulnerability.