Description
Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned. We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://aws.amazon.com/security/security-bulletins/2026-051-aws/
Third Party Advisory third-party-advisory
https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-c5q4-97jw-jggh
Scores
CVSS v3
7.5
EPSS
0.0042
EPSS Percentile
33.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (2)
amazon/advanced_jdbc_wrapper
3.3.0 - 4.0.1
AWS/AWS Advanced JDBC Wrapper
3.3.0 - 4.0.0
Published
Jul 01, 2026
Tracked Since
Jul 02, 2026