Update aws/aws-sdk-php

[chris-bateman]

| Package | aws/aws-sdk-php | | Severity | medium | | CVE | CVE-2023-51651 | | Title | Potential URI resolution path traversal in the AWS SDK for PHP | | URL | https://nvd.nist.gov/vuln/detail/CVE-2023-51651 | | Affected versions | >=3.0.0,<3.288.1 | | Reported at | 2023-11-22T00:00:00+00:00 |

[DerekCrannaford]

See:

https://github.com/2pisoftware/cmfive-core/pull/372

https://github.com/2pisoftware/cmfive-boilerplate/pull/182

[DerekCrannaford]

Notes.

Existing mitigation:

• cosine various applies internal key-path strategies and filename sanitation
• browser file submission generally forces sound path and filespec compositions Both aspects serve to frustrate s3 keypath exploit.

Live hotfix possible:

• sdk version lift is not a breaking change on >PHP8 systems
• in case of hosts reluctant to full (cosine) stack redeployment; SDK upgrade can be made in situ, from html root, ---> ./composer.phar require aws/aws-sdk-php

• with expected target being ^3.322, visible by ---> ./composer.phar show | grep "sdk"

  PHP<<8 systems cannot be lifted past approx:3.224.0, with vulnerability.