CVE-2025-5279

HIGH

Pypi Redshift-connector < 2.1.7 - Improper Certificate Validation

Title source: rule

Description

When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token. This issue has been addressed in driver version 2.1.7. Users should upgrade to address this issue and ensure any forked or derivative code is patched to incorporate the new fixes.

References (3)

[Various Sources] https://aws.amazon.com/security/security-bulletins/AWS-2025-011/

[Vendor Advisory] https://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-r244-wg5g-6w2r

[Release Notes] https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.7

Scores

CVSS v4 7.0

EPSS 0.0019

EPSS Percentile 40.8%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (2)

Amazon/Redshift 2.0.872 - 2.1.7

pypi/redshift-connector 2.0.872 - 2.1.7PyPI

Published May 27, 2025

Tracked Since Feb 18, 2026