SQL Injection Vulnerability in Amazon JDBC Driver for Redshift Prior to Version 2.1.0.28
CVE-2024-32888

10CRITICAL

Key Information:

Vendor: Aws
Status: Amazon-redshift-jdbc-driver
Vendor: CVE Published:; 15 May 2024

What is CVE-2024-32888?

The Amazon JDBC Driver for Redshift, a Type 4 JDBC driver, allows database connectivity via standard JDBC APIs in the Java Platform, Enterprise Editions. An SQL injection vulnerability exists in versions prior to 2.1.0.28, specifically when the non-default connection property preferQueryMode=simple is utilized alongside vulnerable application SQL code that inversely negates a parameter value. When using the default, extended query mode, this vulnerability does not impact users. The preferQueryMode parameter is not officially supported by the Redshift JDBC driver, as it stems from the inherited code of the Postgres JDBC driver. Users are advised to refrain from overriding default settings with the unsupported query mode to avoid exposure, and a patch is available in driver version 2.1.0.28.

Affected Version(s)

amazon-redshift-jdbc-driver < 2.1.0.28

References

https://github.com/aws/amazon-redshift-jdbc-driver/securi...

x_refsource_CONFIRM

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA...

x_refsource_MISC

https://github.com/aws/amazon-redshift-jdbc-driver/commit...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2024
Vulnerability Reserved
Apr 19, 2024

Aws

What is CVE-2024-32888?

Affected Version(s)

References

CVSS V3.1

Timeline