CVE-2024-12744: 
Java vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2024-12744) was discovered in Amazon Redshift JDBC Driver version 2.1.0.31. The vulnerability was disclosed on December 24, 2024, affecting the driver's metadata APIs specifically through the getSchemas, getTables, and getColumns functions. This security flaw allows users to potentially gain escalated privileges through SQL injection attacks (AWS Security Bulletin, GitHub Advisory).

The vulnerability stems from improper handling of user-supplied input in the metadata APIs of the Redshift JDBC Driver. The flaw has been assigned a CVSS v3.1 base score of 8.0 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 8.6 with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-89 (SQL Injection) (NVD).

When exploited, this vulnerability could allow attackers to execute SQL injection attacks through the metadata APIs, potentially leading to unauthorized access, data modification, or deletion of sensitive information. The high severity scores indicate significant potential impact on system confidentiality, integrity, and availability (Security Online).

AWS has released version 2.1.0.32 of the Redshift JDBC Driver to address this vulnerability. The patch implements proper input handling by ensuring all metadata command inputs are processed using parameterized queries with QUOTEIDENT(string) or QUOTELITERAL(string) functions. As a temporary workaround, users can also revert to the previous unaffected version 2.1.0.30 (AWS Security Bulletin, GitHub Advisory).