GoogleOSV:GHSA-4R6J-FWCX-94CFsnowflake-connector-python is vulnerable to Regular Expression Denial of Service (ReDoS)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
36.8%
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the get_file_transfer_type method.
References
github.com/snowflakedb/snowflake-connector-python
github.com/snowflakedb/snowflake-connector-python/commit/b9d2fc789fae4db865dde3d2a1bd72c8a9eab091
github.com/snowflakedb/snowflake-connector-python/pull/1327
github.com/snowflakedb/snowflake-connector-python/releases/tag/v2.8.2
nvd.nist.gov/vuln/detail/CVE-2022-42965
research.jfrog.com/vulnerabilities/snowflake-connector-python-redos-xray-257185
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
36.8%