CVE-2022-41828

HIGH

Amazon AWS Redshift JDBC Driver <2.1.0.8 - Code Injection

Title source: llm

Description

In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.

Exploits (1)

nomisec WRITEUP 4 stars

by murataydemir · poc

https://github.com/murataydemir/CVE-2022-41828

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/aws/amazon-redshift-jdbc-driver/commit/40b143b4698faf90c788ffa89f2d4d8d2ad068b5

[Third Party Advisory] https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-jc69-hjw2-fm86

Scores

CVSS v3 8.1

EPSS 0.0964

EPSS Percentile 92.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-704

Status published

Products (2)

amazon/amazon_web_services_redshift_java_database_connectivity_driver < 2.1.0.8

com.amazon.redshift/redshift-jdbc42 0 - 2.1.0.8Maven

Published Sep 29, 2022

Tracked Since Feb 18, 2026