Approved changes feed: RSS · Atom

cpe:2.3:a:snowflakedb:snowflake-jdbc:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorSnowflakedb (c36e0346-ff75-517e-9ece-94c1d0000f0b)
ProductSnowflake Jdbc (93f43bac-07b6-544e-943a-09ee60d5c450)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-3293 vulnerable 2026-06-08 08:01:18.344987 snowflakedb snowflake-jdbc JDBC URL SdkProxyRoutePlanner.java SdkProxyRoutePlanner redos
LOW (3.3)
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can lead to inefficient regular expression complexity. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5fb0a8a318a2ed87f4022a1f56e742424ba94052. A patch should be applied to remediate this issue.
Published: 2026-02-27T05:32:09.400Z
Updated: 2026-02-27T18:53:38.099Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-27496 vulnerable 2026-06-08 07:14:55.237702 Snowflake JDBC Driver client-side encryption key in DEBUG logs
LOW (3.3)
Snowflake, a platform for using artificial intelligence in the context of cloud computing, has a vulnerability in the Snowflake JDBC driver ("Driver") in versions 3.0.13 through 3.23.0 of the driver. When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. Snowflake fixed the issue in version 3.23.1.
Published: 2025-03-13T19:01:33.295Z
Updated: 2025-03-13T19:51:10.678Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-24790 vulnerable 2026-06-08 07:12:49.894172 Snowflake JDBC uses insecure temporary credential cache file permissions
MEDIUM (4.4)
Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake JDBC Driver. On Linux systems, when temporary credential caching is enabled, the Snowflake JDBC Driver will cache temporary credentials locally in a world-readable file. This vulnerability affects versions 3.6.8 through 3.21.0. Snowflake fixed the issue in version 3.22.0.
Published: 2025-01-29T17:49:19.771Z
Updated: 2025-02-12T19:51:13.788Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-24789 vulnerable 2026-06-08 07:12:49.892955 Snowflake JDBC allows an untrusted search path on Windows
HIGH (7.8)
Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake JDBC Driver. When the EXTERNALBROWSER authentication method is used on Windows, an attacker with write access to a directory in the %PATH% can escalate their privileges to the user that runs the vulnerable JDBC Driver version. This vulnerability affects versions 3.2.3 through 3.21.0 on Windows. Snowflake fixed the issue in version 3.22.0.
Published: 2025-01-29T17:46:20.985Z
Updated: 2025-02-12T19:51:13.919Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-30535 vulnerable 2026-06-08 06:04:39.731329 Snowflake JDBC vulnerable to command injection via SSO URL authentication
HIGH (7.3)
Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Users of the Snowflake JDBC driver were vulnerable to a command injection vulnerability. An attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. The vulnerability was patched on March 17, 2023 as part of Snowflake JDBC driver Version 3.13.29. All users should immediately upgrade the Snowflake JDBC driver to the latest version: 3.13.29.
Published: 2023-04-14T19:30:26.523Z
Updated: 2025-02-06T18:41:19.845Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.