GHSA-r244-wg5g-6w2r

Source

https://github.com/advisories/GHSA-r244-wg5g-6w2r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-r244-wg5g-6w2r/GHSA-r244-wg5g-6w2r.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-r244-wg5g-6w2r

Aliases

CVE-2025-5279

Related

CGA-6m5c-6mr7-74r5

Published

2025-05-28T14:57:31Z

Modified

2025-05-28T15:12:12.951160Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin

Details

Summary

Amazon Redshift Python Connector is a pure Python connector to Redshift (i.e., driver) that implements the Python Database API Specification 2.0.

When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider.

Impact

An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token.

Impacted versions: >=2.0.872;<=2.1.6

Patches

Upgrade Amazon Redshift Python Connector to version 2.1.7 and ensure any forked or derivative code is patched to incorporate the new fixes.

Workarounds

None

References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Database specific

{
    "nvd_published_at": "2025-05-27T21:15:23Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T14:57:31Z"
}

References

Affected packages

PyPI / redshift-connector

Package

Name: redshift-connector; View open source insights on deps.dev
Purl: pkg:pypi/redshift-connector

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.872

Fixed

2.1.7

Affected versions

2.*

2.0.872

2.0.873

2.0.874

2.0.875

2.0.876

2.0.877

2.0.878

2.0.879

2.0.880

2.0.881

2.0.882

2.0.883

2.0.884

2.0.885

2.0.886

2.0.887

2.0.888

2.0.889

2.0.900

2.0.901

2.0.902

2.0.903

2.0.904

2.0.905

2.0.906

2.0.907

2.0.908

2.0.909

2.0.910

2.0.911

2.0.912

2.0.913

2.0.914

2.0.915

2.0.916

2.0.917

2.0.918

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

Database specific

{
    "last_known_affected_version_range": "<= 2.1.6"
}