CVE-2024-32888 – com.amazon.redshift:redshift-jdbc42

Package

Manager: maven
Name: com.amazon.redshift:redshift-jdbc42
Vulnerable Version: >=0 <2.1.0.28

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00191 pctl0.41228

Details

Amazon JDBC Driver for Redshift SQL Injection via line comment generation ### Impact SQL injection is possible when using the non-default connection property `preferQueryMode=simple` in combination with application code which has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default, extended query mode. Note that `preferQueryMode` is not a supported parameter in Redshift JDBC driver, and is inherited code from Postgres JDBC driver. Users who do not override default settings to utilize this unsupported query mode are not affected. ### Patch This issue is patched in driver version 2.1.0.28. ### Workarounds Do not use the connection property `preferQueryMode=simple`. (NOTE: If you do not explicitly specify a query mode, then you are using the default of extended query mode and are not affected by this issue.) ### References Similar to finding in Postgres JDBC: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56 If you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

Metadata

Created: 2024-05-15T17:10:49Z
Modified: 2025-06-13T20:45:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-x3wm-hffr-chwm/GHSA-x3wm-hffr-chwm.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-x3wm-hffr-chwm
Finding: F106
Auto approve: 1