Skip to content

AWS SDK is vulnerable to server-side request forgery (SSRF)

Critical severity GitHub Reviewed Published Dec 27, 2022 to the GitHub Advisory Database • Updated Feb 3, 2023

Package

maven com.amazonaws:aws-android-sdk-mobile-client (Maven)

Affected versions

<= 2.59.0

Patched versions

2.59.1

Description

A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java of the component XML Parser. The manipulation leads to server-side request forgery. Upgrading to version 2.59.1 can address this issue. The name of the patch is c3e6d69422e1f0c80fe53f2d757b8df97619af2b. It is recommended to upgrade the affected component. The identifier VDB-216737 was assigned to this vulnerability.

References

Published by the National Vulnerability Database Dec 27, 2022
Published to the GitHub Advisory Database Dec 27, 2022
Reviewed Dec 30, 2022
Last updated Feb 3, 2023

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2022-4725

GHSA ID

GHSA-f5h9-qx38-2hgp

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.