Описание
When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token.
This issue has been addressed in driver version 2.1.7. Users should upgrade to address this issue and ensure any forked or derivative code is patched to incorporate the new fixes.
A flaw was found in the Amazon Redshift Python Connector. This vulnerability allows an attacker to intercept the token exchange process and retrieve an access token via an insecure connection to the Identity Provider when the BrowserAzureOAuth2CredentialsProvider plugin is used.
Отчет
This vulnerability is rated as an IMPORTANT severity because this vulnerability exists in the Amazon Redshift Python Connector, when configured with the BrowserAzureOAuth2CredentialsProvider plugin, this issue arises because the driver skips the SSL certificate validation step for the Identity Provider during the token exchange process, an insecure connection could allow an attacker to intercept communications and retrieve an access token.
Ссылки на источники
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token. This issue has been addressed in driver version 2.1.7. Users should upgrade to address this issue and ensure any forked or derivative code is patched to incorporate the new fixes.
Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin
7.5 High
CVSS3