CVE-2025-5279
- Source
- https://cve.org/CVERecord?id=CVE-2025-5279
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5279.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-5279
- Aliases
- Downstream
- Related
- Published
- 2025-05-27T21:15:23.370Z
- Modified
- 2026-03-14T15:04:37.164630Z
- Severity
-
- 7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token.
This issue has been addressed in driver version 2.1.7. Users should upgrade to address this issue and ensure any forked or derivative code is patched to incorporate the new fixes.
- References
Affected packages
Git / github.com/aws/amazon-redshift-python-driver
Affected ranges
- Type
- GIT
- Repo
- https://github.com/aws/amazon-redshift-python-driver
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2.*
2.0.905
v2.*
v2.0.384
v2.0.389
v2.0.393
v2.0.399
v2.0.405
v2.0.659
v2.0.711
v2.0.872
v2.0.873
v2.0.874
v2.0.875
v2.0.876
v2.0.877
v2.0.878
v2.0.879
v2.0.880
v2.0.881
v2.0.882
v2.0.883
v2.0.884
v2.0.885
v2.0.886
v2.0.887
v2.0.888
v2.0.889
v2.0.900
v2.0.901
v2.0.902
v2.0.903
v2.0.904
v2.0.906
v2.0.908
v2.0.909
v2.0.910
v2.0.911
v2.0.912
v2.0.913
v2.0.914
v2.0.915
v2.0.916
v2.0.917
v2.0.918
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6