CVE-2024-32888

Name of the Vulnerable Software and Affected Versions Amazon Redshift JDBC Driver versions prior to 2.1.0.28

Description The issue allows for SQL injection when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default, extended query mode. The preferQueryMode property is not a supported parameter in the Redshift JDBC driver and is inherited code from the Postgres JDBC driver. Users who do not override default settings to utilize this unsupported query mode are not affected.

Recommendations For Amazon Redshift JDBC Driver versions prior to 2.1.0.28, do not use the connection property preferQueryMode=simple to mitigate the issue. Upgrade to version 2.1.0.28 or later to patch the issue.