Vulnerability Description
Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Users of the Snowflake JDBC driver were vulnerable to a command injection vulnerability. An attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. The vulnerability was patched on March 17, 2023 as part of Snowflake JDBC driver Version 3.13.29. All users should immediately upgrade the Snowflake JDBC driver to the latest version: 3.13.29.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Snowflake | Snowflake Jdbc | < 3.13.29 |
Related Weaknesses (CWE)
References
- https://community.snowflake.com/s/article/JDBC-Driver-Release-NotesRelease Notes
- https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-4g3j-c4wgVendor Advisory
- https://community.snowflake.com/s/article/JDBC-Driver-Release-NotesRelease Notes
- https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-4g3j-c4wgVendor Advisory
FAQ
What is CVE-2023-30535?
CVE-2023-30535 is a vulnerability with a CVSS score of 7.3 (HIGH). Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Users of the Snowflake JDBC driver were vulnerable to a command injection ...
How severe is CVE-2023-30535?
CVE-2023-30535 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-30535?
Check the references section above for vendor advisories and patch information. Affected products include: Snowflake Snowflake Jdbc.