Potential Elevation of Privilege Vulnerability in Snowflake Hive Metastore Connector
CVE-2024-28851

7.8HIGH

Key Information:

Vendor

Snowflakedb

Status
Snowflake-hive-metastore-connector
Vendor
CVE Published:
15 March 2024

What is CVE-2024-28851?

The Snowflake Hive MetaStore Connector contains a vulnerability in the helper script that could allow a malicious insider without admin privileges to exploit the system. By downloading content from a Microsoft domain and replacing it with malicious code, an attacker could manipulate the script's execution. If local access is then gained, users may inadvertently run the tampered script, leading to a potential escalation of privileges. Snowflake has addressed this issue in a patch released on February 09, 2024, though there was no version bump for the Connector. Users relying on the helper script are strongly encouraged to update to the latest version or refrain from using the script to mitigate risks.

Affected Version(s)

snowflake-hive-metastore-connector < dfbf87dff4

References

https://github.com/snowflakedb/snowflake-hive-metastore-c...
x_refsource_CONFIRM
https://github.com/snowflakedb/snowflake-hive-metastore-c...
x_refsource_MISC
https://github.com/snowflakedb/snowflake-hive-metastore-c...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.