CVE-2024-32888: Amazon JDBC Driver for Redshift SQL Injection via line comment generation
SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code which has a vulnerable SQL that negates a parameter value.
There is no vulnerability in the driver when using the default, extended query mode. Note that preferQueryMode is not a supported parameter in Redshift JDBC driver, and is inherited code from Postgres JDBC driver. Users who do not override default settings to utilize this unsupported query mode are not affected.
References
- github.com/advisories/GHSA-x3wm-hffr-chwm
- github.com/aws/amazon-redshift-jdbc-driver
- github.com/aws/amazon-redshift-jdbc-driver/commit/0d354a5f26ca23f7cac4e800e3b8734220230319
- github.com/aws/amazon-redshift-jdbc-driver/commit/12a5e8ecfbb44c8154fc66041cca2e20ecd7b339
- github.com/aws/amazon-redshift-jdbc-driver/commit/bc93694201a291493778ce5369a72befeca5ba7d
- github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-x3wm-hffr-chwm
- github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
- nvd.nist.gov/vuln/detail/CVE-2024-32888
Code Behaviors & Features
Detect and mitigate CVE-2024-32888 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →