CVE-2025-24794 – snowflake-connector-python

Package

Manager: pip
Name: snowflake-connector-python
Vulnerable Version: >=2.7.12 <3.13.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00071 pctl0.22252

Details

snowflake-connector-python vulnerable to insecure deserialization of the OCSP response cache ### Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. The OCSP response cache uses pickle as the serialization format, potentially leading to local privilege escalation. This vulnerability affects versions 2.7.12 through 3.13.0. Snowflake fixed the issue in version 3.13.1. ### Vulnerability Details The OCSP response cache is saved locally on the machine running the Connector using the pickle serialization format. This can potentially lead to local privilege escalation if an attacker has write access to the OCSP response cache file. ### Solution Snowflake released version 3.13.1 of the Snowflake Connector for Python, which fixes this issue. We recommend users upgrade to version 3.13.1. ### Additional Information If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).

Metadata

Created: 2025-01-29T20:50:18Z
Modified: 2025-04-09T20:10:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-m4f6-vcj4-w5mx/GHSA-m4f6-vcj4-w5mx.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-m4f6-vcj4-w5mx
Finding: F096
Auto approve: 1