CVE-2025-5279: Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin

7.0 CVSS

Description

When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token.

This issue has been addressed in driver version 2.1.7. Users should upgrade to address this issue and ensure any forked or derivative code is patched to incorporate the new fixes.

Classification

CVE ID: CVE-2025-5279

CVSS Base Severity: HIGH

CVSS Base Score: 7.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Problem Types

CWE-295: Improper Certificate Validation

Affected Products

Vendor: Amazon

Product: Redshift

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.15% (scored less or equal to compared to others)

EPSS Date: 2025-06-08 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5279
https://aws.amazon.com/security/security-bulletins/

Timeline

2025-05-27 21:40:21 UTC
CVE

Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin
2025-05-28 15:15:32 UTC
Github Advisory Database (PIP)

[redshift-connector] Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin