Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper TLS Hostname Verification in Snowflake Connector for Python
Vulnerability Description
Improper TLS hostname verification in Snowflake Connector for Python versions prior to 4.7.1 and 3.18.1 may have allowed a network-positioned attacker to bypass certificate hostname validation on HTTPS connections made by the connector. An attacker with on-path network access could exploit this by intercepting or redirecting network traffic and presenting a certificate signed by any trusted CA for any domain, causing the connector to accept connections without validating that the certificate matched the requested hostname. Successful exploitation requires an on-path traffic interception capability (e.g. ARP/DNS poisoning, rogue access point, BGP hijacking, or malicious proxy/exit node). This vulnerability may have exposed credentials, query data, and staged file contents to interception and tampering, and may have enabled the attacker to issue arbitrary SQL within the context of the victim's connector session. Impact is limited by the privileges of the affected Snowflake role. The fix is available in Snowflake Connector for Python versions 4.7.1 and 3.18.1. Users must manually upgrade.
CVSS Information
N/A
Vulnerability Type
对宿主不匹配的证书验证不恰当
Vulnerability Title
Snowflake Connector for Python 加密问题漏洞
Vulnerability Description
Snowflake Snowflake Connector for Python是美国Snowflake公司的一款连接Snowflake数据库的Python客户端。 Snowflake Connector for Python 3.18.1之前版本和4.7.1之前版本存在加密问题漏洞,该漏洞源于TLS主机名验证不当,可能导致网络位置的攻击者通过拦截或重定向网络流量,出示任何受信任CA为任何域名签名的证书,绕过连接器的HTTPS证书主机名验证,造成连接器接受连接而未验证证书是否与请求的主机名匹配。成功利用需
CVSS Information
N/A
Vulnerability Type
N/A