Published Date: December 27, 2024
Package | Affected Versions | Patched Versions | Severity |
---|---|---|---|
📦 redshift_connector (pip) | = 2.1.4 | 2.1.5 | High |
Description
Summary
A SQL injection vulnerability exists in Amazon Redshift Python Connector version 2.1.4. Attackers can exploit this flaw using the
get_schemas
, get_tables
, or get_columns
Metadata APIs to gain escalated privileges.Immediate Action: Upgrade to version 2.1.5 or revert to version 2.1.3.
Impact
When using Metadata APIs (
get_schemas
, get_tables
, get_columns
), unvalidated inputs can be injected into SQL queries, potentially allowing an attacker to manipulate database commands.Patches & Workarounds
Fix Details (Patched in 2.1.5)
- All metadata command inputs are now parameterized queries.
- Inputs are passed securely using
QUOTE_IDENT(string)
orQUOTE_LITERAL(string)
to prevent injection. - Commands are composed only after sanitizing all inputs.
Workaround (If Immediate Upgrade Isn’t Possible)
- Downgrade to version 2.1.3, which does not have this vulnerability.
Upgrade Command:
Downgrade Command: