CVE-2026-8838

CRITICAL9.8EPSS 0.08%

amazon-redshift-python-driver vulnerable to Remote Code Execution via eval() Injection

發布日:2026/5/29修改日:2026/6/2
也稱為:GHSA-29h4-r29x-hchvCGA-44f7-mm2v-vvg6

描述

### Summary amazon-redshift-python-driver is the official Python connector for Amazon Redshift. In versions 2.1.13 and earlier, the driver insufficiently validates data received from the server during query result processing. A rogue server or man-in-the-middle could leverage this to execute arbitrary code on the client. ### Impact When a client connects to a rogue server implementing the PostgreSQL wire protocol, the server can send specially crafted query responses that the driver processes without adequate input validation. This could result in arbitrary code execution in the client process, potentially enabling command execution, file system access, or credential theft with the privileges of the client application. Impacted versions: <=2.1.13 ### Patches This has been addressed in amazon-redshift-python-driver version 2.1.14 (https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.14). Amazon Redshift recommends upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. ### References If there are any questions or comments about this advisory, contact AWS Security via the issue reporting page or directly via email to [email protected]. Please do not create a public GitHub issue. ### Acknowledgement Amazon Redshift would like to thank Kexin Chen (@ckx-sec) for collaborating through the coordinated disclosure process.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osvCVSS 3.1CRITICAL9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(6)