CVE-2022-29972

Name of the Vulnerable Software and Affected Versions Magnitude Simba Amazon Redshift ODBC Driver versions 1.4.14 through 1.4.21.1001 Magnitude Simba Amazon Redshift ODBC Driver versions 1.4.22 through 1.4.x before 1.4.52 Microsoft Azure Synapse (affected versions not specified) Microsoft Azure Data Factory (affected versions not specified)

Description The issue is related to an argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift ODBC Driver, which may allow a local user to execute arbitrary code. Additionally, there is a vulnerability in Microsoft Azure Synapse and Azure Data Factory that could have led to remote code execution attacks, allowing attackers to gain control of other Synapse workspaces and leak sensitive data, including Azure service keys and API tokens, as well as passwords for other services.

Recommendations For Magnitude Simba Amazon Redshift ODBC Driver versions 1.4.14 through 1.4.21.1001, update to a version outside of this range to mitigate the risk. For Magnitude Simba Amazon Redshift ODBC Driver versions 1.4.22 through 1.4.x before 1.4.52, update to version 1.4.52 or later to resolve the issue. For Microsoft Azure Synapse, restrict access to critical functions until a patch is available. For Microsoft Azure Data Factory, avoid using sensitive data, including Azure service keys and API tokens, in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability in Microsoft Azure Synapse and Azure Data Factory.