216.73.216.169

CVE-2025-5279

· Published 27/05/2025 21:15 · Modified 28/05/2025 15:01

Labels: CVE-2025-5279 2025-05-27CVE-2025-5279CWE-295ff89ba41-3aa1-4d27-914a-91399e9639e5

Essential information

Published
27/05/2025 21:15
Modified
28/05/2025 15:01
Author
Creator
CVSS
7.0 HIGH (v3) 7.0 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token. This issue has been addressed in driver version 2.1.7. Users should upgrade to address this issue and ensure any forked or derivative code is patched to incorporate the new fixes.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
ff89ba41-3aa1-4d27-914a-91399e9639e5
NVD
View on NVD

Affected products (CPE)

ProductCPE
amazon / redshift cpe:2.3:a:amazon:redshift:2.1.7:*:*:*:*:*:*:*

References