A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can lead to inefficient regular expression complexity.
The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5fb0a8a318a2ed87f4022a1f56e742424ba94052.
A patch should be applied to remediate this issue.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 8
https://github.com/snowflakedb/snowflake-jdbc/
cna@vuldb.com
https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56…
cna@vuldb.com
https://github.com/snowflakedb/snowflake-jdbc/issues/2505
cna@vuldb.com
https://github.com/snowflakedb/snowflake-jdbc/issues/2505#issue-3951994646
cna@vuldb.com
https://snowflakecomputing.atlassian.net/browse/SNOW-3104251
cna@vuldb.com
https://vuldb.com/?ctiid.348035
cna@vuldb.com
https://vuldb.com/?id.348035
cna@vuldb.com
https://vuldb.com/?submit.760428
cna@vuldb.com