Amazon Redshift Python Connector SSL Certificate Validation Vulnerability in BrowserAzureOAuth2CredentialsProvider Plugin
Vulnerability
A vulnerability exists in the Amazon Redshift Python Connector when used with the BrowserAzureOAuth2CredentialsProvider plugin, where the driver fails to validate SSL certificates for the Identity Provider. This oversight can lead to an insecure connection, allowing an actor to intercept the token exchange process and obtain an access token. The issue has been resolved in driver version 2.1.7. Users are advised to upgrade and ensure that any forked or derivative code is also patched to include the latest fixes.
Impact
Exploitation of this vulnerability could result in the interception of access tokens during the OAuth2 token exchange process, potentially allowing unauthorized access to resources or services that the token grants permission to.
Remediation
Users should upgrade to version 2.1.7 of the Amazon Redshift Python Connector. Additionally, any forked or derivative code should be updated to incorporate the new fixes.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.