GHSA-f5h9-qx38-2hgp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f5h9-qx38-2hgp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-f5h9-qx38-2hgp/GHSA-f5h9-qx38-2hgp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f5h9-qx38-2hgp
- Aliases
- Published
- 2022-12-27T15:30:19Z
- Modified
- 2023-11-08T04:10:59.678808Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- AWS SDK is vulnerable to server-side request forgery (SSRF)
- Details
-
A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java of the component XML Parser. The manipulation leads to server-side request forgery. Upgrading to version 2.59.1 can address this issue. The name of the patch is c3e6d69422e1f0c80fe53f2d757b8df97619af2b. It is recommended to upgrade the affected component. The identifier VDB-216737 was assigned to this vulnerability.
- Database specific
{ "nvd_published_at": "2022-12-27T15:15:00Z", "github_reviewed_at": "2022-12-30T00:54:03Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-918" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-4725
- https://github.com/aws-amplify/aws-sdk-android/pull/3100
- https://github.com/aws-amplify/aws-sdk-android/commit/c3e6d69422e1f0c80fe53f2d757b8df97619af2b
- https://github.com/aws-amplify/aws-sdk-android
- https://github.com/aws-amplify/aws-sdk-android/releases/tag/release_v2.59.1
- https://vuldb.com/?id.216737
Affected packages
Maven / com.amazonaws:aws-android-sdk-mobile-client
Package
- Name
- com.amazonaws:aws-android-sdk-mobile-client
- View open source insights on deps.dev
- Purl
- pkg:maven/com.amazonaws/aws-android-sdk-mobile-client
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.59.1
Affected versions
2.*
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.6.16
2.6.17
2.6.18
2.6.19
2.6.20
2.6.21
2.6.22
2.6.23
2.6.24
2.6.25
2.6.26
2.6.27
2.6.28
2.6.29
2.6.30
2.6.31
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.12.6
2.12.7
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.14.0
2.14.1
2.14.2
2.15.0
2.15.1
2.15.2
2.16.0
2.16.1
2.16.2
2.16.3
2.16.4
2.16.5
2.16.6
2.16.7
2.16.8
2.16.9
2.16.10
2.16.11
2.16.12
2.16.13
2.17.0
2.17.1
2.18.0
2.19.0
2.19.1
2.19.2
2.19.3
2.19.4
2.20.0
2.20.1
2.21.0
2.22.0
2.22.1
2.22.2
2.22.3
2.22.4
2.22.5
2.22.6
2.22.7
2.23.0
2.24.0
2.25.0
2.26.0
2.27.0
2.28.0
2.29.0
2.30.0
2.31.0
2.32.0
2.33.0
2.34.0
2.35.0
2.36.0
2.37.0
2.37.1
2.38.0
2.39.0
2.40.0
2.41.0
2.41.1
2.42.0
2.43.0
2.44.0
2.45.0
2.46.0
2.47.0
2.48.0
2.48.1
2.49.0
2.50.0
2.50.1
2.51.0
2.52.0
2.52.1
2.53.0
2.54.0
2.55.0
2.56.0
2.57.0
2.58.0
2.59.0