net.snowflake:snowflake-jdbc 3.7.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the net.snowflake:snowflake-jdbc package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Untrusted Search Path Affected versions of this package are vulnerable to Untrusted Search Path when the `EXTERNALBROWSER` authentication method is used, on Windows. The `openBrowser()` function in `SessionUtilExternalBrowser.java` relies upon the `xdg-open` command that doesn't exist by default on Windows. When the application looks up the command on the system's `%PATH%` it can be tricked into executing a malicious program placed in one of the traversed directories by a malicious user with limited privileges, thereby elevating their privileges to those of the JDBC driver. How to fix Untrusted Search Path? Upgrade `net.snowflake:snowflake-jdbc` to version 3.22.0 or higher.	[3.2.3,3.22.0)
M Incorrect Default Permissions Affected versions of this package are vulnerable to Incorrect Default Permissions on the temporary credential cache directory, handled in `FileCacheManager.java`. When using either `EXTERNALBROWSER` or `USERNAME_PASSWORD_MFA` authentication methods with temporary credential caching enabled, credentials are stored in a world-readable file due to insecure handling of temporary credential cache file permissions. Users with local access to `~/.cache/snowflake` on Linux systems can read these stored credentials. How to fix Incorrect Default Permissions? Upgrade `net.snowflake:snowflake-jdbc` to version 3.22.0 or higher.	[3.6.8,3.22.0)
H Missing Encryption of Sensitive Data Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data due to a misbounded check in the `createUploadStream()` function for Azure and GCP systems. When the `CLIENT_ENCRYPTION_KEY_SIZE` of a stage using a JDBC driver is set to the non-default 256-bit size. An attacker can upload data which will be stored on the client side without encryption. It is still encrypted in transit and on the server. Note: AWS deployments are not vulnerable. How to fix Missing Encryption of Sensitive Data? Upgrade `net.snowflake:snowflake-jdbc` to version 3.20.0 or higher.	[3.2.6,3.20.0)
H Arbitrary Code Execution Affected versions of this package are vulnerable to Arbitrary Code Execution via SSO URL authentication. How to fix Arbitrary Code Execution? Upgrade `net.snowflake:snowflake-jdbc` to version 3.13.29 or higher.	[,3.13.29)

Vulnerability

Vulnerable Version

Untrusted Search Path

Affected versions of this package are vulnerable to Untrusted Search Path when the EXTERNALBROWSER authentication method is used, on Windows. The openBrowser() function in SessionUtilExternalBrowser.java relies upon the xdg-open command that doesn't exist by default on Windows. When the application looks up the command on the system's %PATH% it can be tricked into executing a malicious program placed in one of the traversed directories by a malicious user with limited privileges, thereby elevating their privileges to those of the JDBC driver.

How to fix Untrusted Search Path?

Upgrade net.snowflake:snowflake-jdbc to version 3.22.0 or higher.

[3.2.3,3.22.0)

Incorrect Default Permissions

Affected versions of this package are vulnerable to Incorrect Default Permissions on the temporary credential cache directory, handled in FileCacheManager.java. When using either EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods with temporary credential caching enabled, credentials are stored in a world-readable file due to insecure handling of temporary credential cache file permissions. Users with local access to ~/.cache/snowflake on Linux systems can read these stored credentials.

How to fix Incorrect Default Permissions?

Upgrade net.snowflake:snowflake-jdbc to version 3.22.0 or higher.

[3.6.8,3.22.0)

Missing Encryption of Sensitive Data

Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data due to a misbounded check in the createUploadStream() function for Azure and GCP systems. When the CLIENT_ENCRYPTION_KEY_SIZE of a stage using a JDBC driver is set to the non-default 256-bit size. An attacker can upload data which will be stored on the client side without encryption. It is still encrypted in transit and on the server.

Note: AWS deployments are not vulnerable.

How to fix Missing Encryption of Sensitive Data?

Upgrade net.snowflake:snowflake-jdbc to version 3.20.0 or higher.

[3.2.6,3.20.0)

Arbitrary Code Execution

Affected versions of this package are vulnerable to Arbitrary Code Execution via SSO URL authentication.

How to fix Arbitrary Code Execution?

Upgrade net.snowflake:snowflake-jdbc to version 3.13.29 or higher.

[,3.13.29)

net.snowflake:snowflake-jdbc@3.7.2 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?