VDB
CVE-2025-5279
CVE-2025-5279
PUBLISHED
CVSS 7 HIGH
When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token. This issue has been addressed in driver version 2.1.7. Users should upgrade to address this issue and ensure any forked or derivative code is patched to incorporate the new fixes.
EPSS 0.19% · 40.8th percentile
Risk Scores
CVSS v4.0
7
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
EPSS Score
0.19%
40.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Redshift | 2.0.872 |
| PyPI | redshift-connector | 2.0.872 |
Timeline
- May 27, 2025 CVE Published
- May 27, 2025 PoC Published
- May 27, 2025 PoC Published
- May 27, 2025 PoC Published
- May 28, 2025 EPSS Score
- May 29, 2025 PoC Published
- Jun 1, 2025 PoC Published
- Jun 2, 2025 Coalition ESS Score
- Jun 8, 2025 EPSS Score
- Jun 19, 2025 EPSS Score
- Jun 30, 2025 EPSS Score
- Jul 11, 2025 EPSS Score
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-011/ vendor-advisory
- https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.7 patch
- https://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-r244-wg5g-6w2r vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-5279 advisory
- https://aws.amazon.com/security/security-bulletins url
- https://aws.amazon.com/security/security-bulletins/AWS-2025-011 url
- https://github.com/aws/amazon-redshift-python-driver package