GHSA-4g3j-c4wg-6j7x

Suggest an improvement
Source
https://github.com/advisories/GHSA-4g3j-c4wg-6j7x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-4g3j-c4wg-6j7x/GHSA-4g3j-c4wg-6j7x.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4g3j-c4wg-6j7x
Aliases
Published
2023-04-14T18:28:58Z
Modified
2023-11-01T05:01:54.975906Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Snowflake JDBC vulnerable to command injection via SSO URL authentication
Details

Snowflake JDBC driver is vulnerable to command injection vulnerability via SSO URL authentication. The vulnerability was patched on March 17, 2023 as part of Snowflake JDBC driver Version 3.13.29. An attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution.

Database specific
{
    "nvd_published_at": "2023-04-14T20:15:00Z",
    "github_reviewed_at": "2023-04-14T18:28:58Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-77"
    ]
}
References

Affected packages

Maven / net.snowflake:snowflake-jdbc

Package

Name
net.snowflake:snowflake-jdbc
View open source insights on deps.dev
Purl
pkg:maven/net.snowflake/snowflake-jdbc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.13.29

Affected versions

2.*

2.8.0
2.8.1
2.8.2

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.0.21
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
3.6.9
3.6.10
3.6.11
3.6.12
3.6.13
3.6.14
3.6.15
3.6.16
3.6.17
3.6.18
3.6.19
3.6.20
3.6.21
3.6.22
3.6.23
3.6.24
3.6.25
3.6.26
3.6.27
3.6.28
3.7.0
3.7.1
3.7.2
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.8.8
3.9.0
3.9.1
3.9.2
3.10.0
3.10.1
3.10.2
3.10.3
3.11.0
3.11.1
3.12.0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.12.7
3.12.8
3.12.9
3.12.10
3.12.11
3.12.12
3.12.13
3.12.14
3.12.15
3.12.16
3.12.17
3.13.0
3.13.1
3.13.2
3.13.3
3.13.4
3.13.5
3.13.6
3.13.7
3.13.8
3.13.9
3.13.10
3.13.11
3.13.12
3.13.13
3.13.14
3.13.15
3.13.16
3.13.17
3.13.18
3.13.19
3.13.20
3.13.21
3.13.22
3.13.23
3.13.24
3.13.25
3.13.26
3.13.27
3.13.28