{ "schema_version": "1.4.0", "id": "GHSA-f5h9-qx38-2hgp", "modified": "2023-01-10T15:39:09Z", "published": "2022-12-27T15:30:19Z", "aliases": [ "CVE-2022-4725" ], "summary": "AWS SDK is vulnerable to server-side request forgery (SSRF) ", "details": "A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java of the component XML Parser. The manipulation leads to server-side request forgery. Upgrading to version 2.59.1 can address this issue. The name of the patch is c3e6d69422e1f0c80fe53f2d757b8df97619af2b. It is recommended to upgrade the affected component. The identifier VDB-216737 was assigned to this vulnerability.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-android-sdk-mobile-client" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.59.1" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 2.59.0" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4725" }, { "type": "WEB", "url": "https://github.com/aws-amplify/aws-sdk-android/pull/3100" }, { "type": "WEB", "url": "https://github.com/aws-amplify/aws-sdk-android/commit/c3e6d69422e1f0c80fe53f2d757b8df97619af2b" }, { "type": "PACKAGE", "url": "https://github.com/aws-amplify/aws-sdk-android" }, { "type": "WEB", "url": "https://github.com/aws-amplify/aws-sdk-android/releases/tag/release_v2.59.1" }, { "type": "WEB", "url": "https://vuldb.com/?id.216737" } ], "database_specific": { "cwe_ids": [ "CWE-918" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-12-30T00:54:03Z", "nvd_published_at": "2022-12-27T15:15:00Z" } }