Closed AlexRs2023 closed 8 months ago
Thank you for reaching out regarding CVE-2022-4725. We can confirm that AWS SDK for Android is not affected by this CVE. The Android OS’s XML parser is a modified version of Java’s XML parser and it does not evaluate DTDs automatically. Therefore, XXE attacks are unsuccessful in Android OS’s XML parser. Please note that a previous fix for this CVE was reverted [1] after we confirmed that AWS SDK for Android is not affected.
[1] https://github.com/aws-amplify/aws-sdk-android/pull/3353
Hi @tjleing thank you so much for the prompt response i appreciate it. I will let me team know this is not a concern.
Thanks and have a great day.
Latest version of the library still references an old version of aws-android-sdk-mobile-client 2.22.1 which still exposes CVE-2022-4725 vulnerability.
To Reproduce
Expected behavior
Latest Sdk should use an updated version of dependency that addresses this vulnerability. At least aws-android-sdk-mobile-client v2.59.1
Screenshots N/A
Environment(please complete the following information): N/A
Device Information (please complete the following information): N/A
Additional context Add any other context about the problem here.