Cyber Resilience

CVE-2022-41828

High

Published: 29 September 2022

Published
29 September 2022
Modified
20 May 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0964 93.1th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41828 is a high-severity Incorrect Type Conversion or Cast (CWE-704) vulnerability in Amazon Amazon Web Services Redshift Java Database Connectivity Driver. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a type-checking flaw in the Amazon AWS Redshift JDBC Driver (also known as amazon-redshift-jdbc-driver or redshift-jdbc42) prior to version 2.1.0.8. The Object Factory component instantiates objects from supplied class names without verifying that the resulting class matches an expected type, which corresponds to CWE-704 and carries a CVSS 3.1 score of 8.1.

An attacker who can influence the class name passed to the driver can cause the factory to load and instantiate an arbitrary class. Successful exploitation can lead to full compromise of confidentiality, integrity, and availability on the affected client or application using the driver, although the attack requires high complexity and no prior authentication or user interaction.

The referenced GitHub security advisory GHSA-jc69-hjw2-fm86 and the associated commit 40b143b4698faf90c788ffa89f2d4d8d2ad068b5 indicate that the issue is resolved by upgrading to driver version 2.1.0.8 or later, which adds the missing class-type validation in the Object Factory.

EPSS for this CVE rose from a low baseline to a peak of 0.5556 on 2025-12-11 before receding to the current value of 0.0964, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

amazon
amazon web services redshift java database connectivity driver
≤ 2.1.0.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References