AVID-2026-R1388

Description

SQL Injection in the Amazon Redshift Python Connector affecting v2.1.4 (CVE-2024-12745)

Details

A SQL injection in the Amazon Redshift Python Connector v2.1.4 allows a user to gain escalated privileges via the get_schemas, get_tables, or get_columns Metadata APIs. Users are recommended to upgrade to the driver version 2.1.5 or revert to driver version 2.1.3.

Reason for inclusion in AVID: CVE-2024-12745 describes a SQL injection vulnerability in the Amazon Redshift Python Connector (v2.1.4) that can lead to elevated privileges. The connector is a software dependency commonly used in ML/AI data pipelines to access data from Redshift, making it a component in the AI software supply chain (data ingestion/feature retrieval). The issue is a standard security vulnerability (CWE-89) with high impact (CVSS 3.1 score 8.0). The advisory includes affected and fixed versions and external references (NVD, GHSA advisory, AWS bulletin, release notes). Therefore it is relevant for AVID curation as a software supply-chain vulnerability affecting AI systems.

References

• NVD entry
• https://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-8gc2-vq6m-rwjw
• https://aws.amazon.com/security/security-bulletins/AWS-2024-015/
• https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.5

Affected or Relevant Artifacts

• Developer: Amazon
• Deployer: Amazon
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-12-24
• Version: 0.3.3
• AVID Entry