Amazon Redshift Python Driver Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the official Python connector for Amazon Redshift, specifically in versions through 2.1.13. This issue arises from the unsafe use of Python's eval() function on data received from the server, allowing a rogue server or man-in-the-middle actor to execute arbitrary code on the client. The vulnerability is exploited by sending specially crafted query responses that the driver processes without adequate input validation, potentially leading to unauthorized command execution, file system access, or credential theft with the privileges of the client application.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the client side, with the executed code running in the context of the client application. This could lead to command execution, unauthorized access to the file system, or theft of credentials.

Remediation

Users are advised to upgrade to version 2.1.14 of the Amazon Redshift Python Driver. Instructions for upgrading can be found on the Python Package Index (PyPI) website.