CVE-2025-5279
HIGH7.5EPSS 0.19%Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin
Description
### Summary [Amazon Redshift Python Connector](https://docs.aws.amazon.com/redshift/latest/mgmt/python-redshift-driver.html) is a pure Python connector to Redshift (i.e., driver) that implements the [Python Database API Specification 2.0](https://www.python.org/dev/peps/pep-0249/). When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. ### Impact An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token. **Impacted versions:** >=2.0.872;<=2.1.6 ### Patches Upgrade Amazon Redshift Python Connector to version 2.1.7 and ensure any forked or derivative code is patched to incorporate the new fixes. ### Workarounds None ### References If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue. [1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
Affected packages (1)
- PyPI/redshift-connector>= 2.0.872, < 2.1.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-5279
- PATCHhttps://github.com/aws/amazon-redshift-python-driver
- WEBhttps://aws.amazon.com/security/security-bulletins
- WEBhttps://aws.amazon.com/security/security-bulletins/AWS-2025-011
- WEBhttps://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.7
- WEBhttps://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-r244-wg5g-6w2r