{"id":"GHSA-r244-wg5g-6w2r","summary":"Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin","details":"### Summary\n[Amazon Redshift Python Connector](https://docs.aws.amazon.com/redshift/latest/mgmt/python-redshift-driver.html) is a pure Python connector to Redshift (i.e., driver) that implements the [Python Database API Specification 2.0](https://www.python.org/dev/peps/pep-0249/).\n\nWhen the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. \n\n### Impact\n\nAn insecure connection could allow an actor to intercept the token exchange process and retrieve an access token.\n\n**Impacted versions:** \u003e=2.0.872;\u003c=2.1.6\n\n### Patches\n\nUpgrade Amazon Redshift Python Connector to version 2.1.7 and ensure any forked or derivative code is patched to incorporate the new fixes.\n\n### Workarounds\n\nNone\n\n### References\n\nIf you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting","aliases":["CVE-2025-5279"],"modified":"2026-02-04T04:10:02.506936Z","published":"2025-05-28T14:57:31Z","related":["CGA-q573-w4gv-fw58"],"database_specific":{"github_reviewed_at":"2025-05-28T14:57:31Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-295"],"nvd_published_at":"2025-05-27T21:15:23Z"},"references":[{"type":"WEB","url":"https://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-r244-wg5g-6w2r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5279"},{"type":"WEB","url":"https://aws.amazon.com/security/security-bulletins"},{"type":"WEB","url":"https://aws.amazon.com/security/security-bulletins/AWS-2025-011"},{"type":"PACKAGE","url":"https://github.com/aws/amazon-redshift-python-driver"},{"type":"WEB","url":"https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.7"}],"affected":[{"package":{"name":"redshift-connector","ecosystem":"PyPI","purl":"pkg:pypi/redshift-connector"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.872"},{"fixed":"2.1.7"}]}],"versions":["2.0.872","2.0.873","2.0.874","2.0.875","2.0.876","2.0.877","2.0.878","2.0.879","2.0.880","2.0.881","2.0.882","2.0.883","2.0.884","2.0.885","2.0.886","2.0.887","2.0.888","2.0.889","2.0.900","2.0.901","2.0.902","2.0.903","2.0.904","2.0.905","2.0.906","2.0.907","2.0.908","2.0.909","2.0.910","2.0.911","2.0.912","2.0.913","2.0.914","2.0.915","2.0.916","2.0.917","2.0.918","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6"],"database_specific":{"last_known_affected_version_range":"\u003c= 2.1.6","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-r244-wg5g-6w2r/GHSA-r244-wg5g-6w2r.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"}]}