Unsafe use of eval() in the Amazon Redshift Python driver permits a rogue or compromised server to execute arbitrary code on connecting client machines.

The vector_in() function processes data from the server using eval(), which allows an attacker performing a man-in-the-middle attack or controlling the Redshift instance to inject and execute malicious code on the client.

This vulnerability carries a CVSS score of 9.8, as it facilitates remote code execution on client systems. This is particularly dangerous for developers or automated systems that connect to untrusted or potentially compromised Redshift database clusters.

Immediate Action: Upgrade the Amazon Redshift Python driver to version 2.1.14 or later.

Proactive Monitoring: Monitor client systems for unauthorized outbound connections or unusual process execution following database interactions.

Compensating Controls: Ensure connections to Redshift clusters are established over encrypted and authenticated channels to mitigate man-in-the-middle risks.

Public Exploit Available: No