Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNWg5LXF4MzgtMmhncM4AAwnj
AWS SDK is vulnerable to server-side request forgery (SSRF)
A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java of the component XML Parser. The manipulation leads to server-side request forgery. Upgrading to version 2.59.1 can address this issue. The name of the patch is c3e6d69422e1f0c80fe53f2d757b8df97619af2b. It is recommended to upgrade the affected component. The identifier VDB-216737 was assigned to this vulnerability.
Permalink: https://github.com/advisories/GHSA-f5h9-qx38-2hgpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNWg5LXF4MzgtMmhncM4AAwnj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-f5h9-qx38-2hgp, CVE-2022-4725
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-4725
- https://github.com/aws-amplify/aws-sdk-android/pull/3100
- https://github.com/aws-amplify/aws-sdk-android/commit/c3e6d69422e1f0c80fe53f2d757b8df97619af2b
- https://github.com/aws-amplify/aws-sdk-android/releases/tag/release_v2.59.1
- https://vuldb.com/?id.216737
- https://github.com/advisories/GHSA-f5h9-qx38-2hgp
Blast Radius: 20.1
Affected Packages
maven:com.amazonaws:aws-android-sdk-mobile-client
Dependent packages: 9Dependent repositories: 113
Downloads:
Affected Version Ranges: <= 2.59.0
Fixed in: 2.59.1
All affected versions: 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.6.15, 2.6.16, 2.6.17, 2.6.18, 2.6.19, 2.6.20, 2.6.21, 2.6.22, 2.6.23, 2.6.24, 2.6.25, 2.6.26, 2.6.27, 2.6.28, 2.6.29, 2.6.30, 2.6.31, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.16.9, 2.16.10, 2.16.11, 2.16.12, 2.16.13, 2.17.0, 2.17.1, 2.18.0, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.20.0, 2.20.1, 2.21.0, 2.22.0, 2.22.1, 2.22.2, 2.22.3, 2.22.4, 2.22.5, 2.22.6, 2.22.7, 2.23.0, 2.24.0, 2.25.0, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.37.1, 2.38.0, 2.39.0, 2.40.0, 2.41.0, 2.41.1, 2.42.0, 2.43.0, 2.44.0, 2.45.0, 2.46.0, 2.47.0, 2.48.0, 2.48.1, 2.49.0, 2.50.0, 2.50.1, 2.51.0, 2.52.0, 2.52.1, 2.53.0, 2.54.0, 2.55.0, 2.56.0, 2.57.0, 2.58.0, 2.59.0
All unaffected versions: 2.59.1, 2.60.0, 2.61.0, 2.62.0, 2.62.1, 2.62.2, 2.63.0, 2.64.0, 2.65.0, 2.66.0, 2.67.0, 2.68.0, 2.69.0, 2.70.0, 2.71.0, 2.72.0, 2.73.0, 2.74.0, 2.75.0