CVE-2024-32888: Amazon JDBC Driver for Redshift SQL Injection via line comment generation
10
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.50066%
CWE
Published
5/15/2024
Updated
5/15/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.amazon.redshift:redshift-jdbc42 | maven | < 2.1.0.28 | 2.1.0.28 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how parameters are handled in 'simple query mode'. The toString method in SimpleParameterList.java directly inlined parameter values into SQL without sufficient safeguards. The patched commits (bc93694, 12a5e8e) introduced explicit type casting via the quoteAndCast method and expanded type handling, confirming the vulnerability existed in parameter serialization. This matches the PostgreSQL JDBC advisory's root cause where improper parameter inlining led to comment-based SQL injection.