Snowflake JDBC vulnerable to command injection via SSO URL authentication
CVE-2023-30535

7.3HIGH

Key Information:

Vendor: Snowflakedb
Status: Snowflake-jdbc
Vendor: CVE Published:; 14 April 2023

🔔 Create Snowflakedb Vulnerability Alert

What is CVE-2023-30535?

The Snowflake JDBC driver is vulnerable to a command injection attack due to improper handling of user input in the connection URL. This flaw allows an attacker to host a malicious server that responds with crafted payloads. If a user unknowingly accesses this compromised connection URL, their local system could execute harmful commands, resulting in potential remote code execution. It is critical for users to update their Snowflake JDBC driver to version 3.13.29 or later to mitigate this risk.

Affected Version(s)

snowflake-jdbc < 3.13.29

References

https://github.com/snowflakedb/snowflake-jdbc/security/ad...

x_refsource_CONFIRM

https://community.snowflake.com/s/article/JDBC-Driver-Rel...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2023
Vulnerability Reserved
Apr 12, 2023