CVE-2022-29972 An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift ODBC Driver may allow a local user to execute arbitrary code.

An attacker may leverage this vulnerability to inject commands into the database or cause the server to process malicious commands. In certain configurations, this may lead to a denial of service (DoS) condition.

CVE-2018-17154 A cross-site request forgery (CSRF) vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) allows an attacker to send requests to the server without being authenticated by setting the “SEND OPTIONS” cookie.

CVE-2018-17153 A SQL injection vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) allows an attacker to execute arbitrary SQL commands with server privileges by setting the “SEND OPTIONS” cookie.

CVE-2018-17152 An information disclosure vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) allows an attacker with network access to disclose information about the server to which the server is connected by setting the “SEND OPTIONS” cookie.

CVE

^ ii) Summary of Key Changes ^

1) A SQL injection vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) allows an attacker to execute arbitrary SQL commands with server privileges by setting the “SEND OPTIONS” cookie
2) An information disclosure vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) allows an attacker with network access to disclose information about the server to which the server is connected by setting the “SEND OPTIONS” cookie
3) CVE-2018-17153: A SQL injection vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4, 21, 10, and 22); allows an attacker to execute arbitrary SQL commands with server privileges; by setting the “SEND OPTIONS” cookie
4) CVE-2018-17152: An information disclosure vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver (1 . 4 . 14 - . 4 . 21 . 1002 and prior versions); allows an attacker with network access to disclose information about the server to which the server is connected; by setting the “SEND OPT

Timeline

Published on: 05/09/2022 18:15:00 UTC
Last modified on: 05/18/2022 14:19:00 UTC

References

• https://insightsoftware.com/trust/security/advisories/redshift-and-athena-driver-vulnerability/
• https://www.magnitude.com/products/data-connectivity
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29972