Fix critical vulnerability CVE-2022-4725 flagged by Sonarqube on dependency: aws-android-sdk-mobile-client 2.22.1

[AlexRs2023]

Latest version of the library still references an old version of aws-android-sdk-mobile-client 2.22.1 which still exposes CVE-2022-4725 vulnerability.

To Reproduce

1. Go to aws-android-sdk-appsync maven repository
2. Click on aws-android-sdk-appsync v3.4.1 maven repository
3. Scroll down to aws-android-sdk-mobile-client v2.22.1
4. Navigate to dependency aws-android-sdk-mobile-client maven repository
5. See vulnerability shown.

Expected behavior

Latest Sdk should use an updated version of dependency that addresses this vulnerability. At least aws-android-sdk-mobile-client v2.59.1

Screenshots N/A

Environment(please complete the following information): N/A

Device Information (please complete the following information): N/A

Additional context Add any other context about the problem here.

[tjleing]

Thank you for reaching out regarding CVE-2022-4725. We can confirm that AWS SDK for Android is not affected by this CVE. The Android OS’s XML parser is a modified version of Java’s XML parser and it does not evaluate DTDs automatically. Therefore, XXE attacks are unsuccessful in Android OS’s XML parser. Please note that a previous fix for this CVE was reverted [1] after we confirmed that AWS SDK for Android is not affected.

[1] https://github.com/aws-amplify/aws-sdk-android/pull/3353

[AlexRs2023]

Hi @tjleing thank you so much for the prompt response i appreciate it. I will let me team know this is not a concern.

Thanks and have a great day.