Snowflake Connector vulnerable to Command Injection
CVE-2023-34230

8.8HIGH

Key Information:

Vendor: snowflakedb
Status: snowflake-connector-net
Vendor: CVE Published:; 8 June 2023

🔔 Create snowflakedb Vulnerability Alert

What is CVE-2023-34230?

The Snowflake Connector for .NET is susceptible to command injection vulnerabilities prior to version 2.0.18, specifically through exploitation via Single Sign-On (SSO) URL authentication. An attacker could create a malicious resource and deceive users into utilizing this compromised resource. By setting up a publicly accessible server that can respond to an SSO URL with harmful payloads, the attacker can lead users to visit this crafted connection URL. Upon visiting, the users' systems may inadvertently execute the attack payload, posing severe risks including unauthorized remote code execution. To mitigate this vulnerability, organizations are advised to implement URL whitelisting and utilize established anti-phishing measures.

Affected Version(s)

snowflake-connector-net < 2.0.18

References

https://github.com/snowflakedb/snowflake-connector-net/se...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2023
Vulnerability Reserved
May 31, 2023