CVE-2022-41828
Published: 29 September 2022
Summary
CVE-2022-41828 is a high-severity Incorrect Type Conversion or Cast (CWE-704) vulnerability in Amazon Amazon Web Services Redshift Java Database Connectivity Driver. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a type-checking flaw in the Amazon AWS Redshift JDBC Driver (also known as amazon-redshift-jdbc-driver or redshift-jdbc42) prior to version 2.1.0.8. The Object Factory component instantiates objects from supplied class names without verifying that the resulting class matches an expected type, which corresponds to CWE-704 and carries a CVSS 3.1 score of 8.1.
An attacker who can influence the class name passed to the driver can cause the factory to load and instantiate an arbitrary class. Successful exploitation can lead to full compromise of confidentiality, integrity, and availability on the affected client or application using the driver, although the attack requires high complexity and no prior authentication or user interaction.
The referenced GitHub security advisory GHSA-jc69-hjw2-fm86 and the associated commit 40b143b4698faf90c788ffa89f2d4d8d2ad068b5 indicate that the issue is resolved by upgrading to driver version 2.1.0.8 or later, which adds the missing class-type validation in the Object Factory.
EPSS for this CVE rose from a low baseline to a peak of 0.5556 on 2025-12-11 before receding to the current value of 0.0964, indicating that exploitation interest emerged after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7116
Vulnerability details
In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.