PT-2026-54642 · Amazon · Aws Advanced Jdbc Wrapper
Davecramer
·
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-14265
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AWS Advanced JDBC Wrapper versions 3.3.0 through 4.0.0
Description
Deserialization of untrusted data in the
RemoteQueryCachePlugin allows an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers. The issue occurs because the RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, which enables gadget chain execution if cache entries are poisoned.Recommendations
Upgrade AWS Advanced JDBC Wrapper to version 4.0.1 or later.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aws Advanced Jdbc Wrapper