45 matches found
EUVD-2026-30931
Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but...
EUVD-2023-1657
Malicious code in bioql PyPI...
CVE-2023-34230
snowflake-connector-net, the Snowflake Connector for .NET, is vulnerable to command injection prior to version 2.0.18 via SSO URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in 1 establishing a malicious resource and 2 redirecti...
UJCMS 安全漏洞
UJCMS is a Java open source content management system from dromara open source. A security vulnerability exists in UJCMS version 9.6.3, which stems from improper URL authentication and a URL redirection vulnerability that allows an authenticated attacker to redirect an unprivileged user to an...
BIT-ENVOY-2023-27487 Envoy client may fake the header `x-envoy-original-path`
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token JWT checks and forge fake original paths. The header x-envoy-original-path should be an internal header, but...
Command Injection
github.com/snowflakedb/gosnowflake is vulnerable to Command Injection. The vulnerability exists due to the Snowflake Golang driver via SSO browser URL authentication because it lacks database URL sanitization. To exploit this, an attacker would need to establish a malicious database resource and...
GHSA-H53W-7QW7-VH5C Snowflake NodeJS Driver vulnerable to Command Injection
Issue Snowflake was informed via our bug bounty program of a command injection vulnerability in the Snowflake NodeJS driver via SSO browser URL authentication. Impacted driver package: snowflake-connector-nodejs Impacted version range: before Version 1.6.21 Attack Scenario In order to exploit the...
Snowflake Golang Driver vulnerable to Command Injection
Issue Snowflake was informed via our bug bounty program of a command injection vulnerability in the Snowflake Golang driver via SSO browser URL authentication. Impacted driver package: gosnowflake Impacted version range: before Version 1.6.19 Attack Scenario In order to exploit the potential for...
GHSA-FWV2-65WH-2W8C Snowflake Golang Driver vulnerable to Command Injection
Issue Snowflake was informed via our bug bounty program of a command injection vulnerability in the Snowflake Golang driver via SSO browser URL authentication. Impacted driver package: gosnowflake Impacted version range: before Version 1.6.19 Attack Scenario In order to exploit the potential for...
CVE-2023-34232
snowflake-connector-nodejs, a NodeJS driver for Snowflake, is vulnerable to command injection via single sign on SSO browser URL authentication in versions prior to 1.6.21. In order to exploit the potential for command injection, an attacker would need to be successful in 1 establishing a malicio...
Command injection
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Versions prior to 3.0.2 are vulnerable to command injection via single sign-onSSO browser URL authentication. In order to exploit the...
Command injection
snowflake-connector-net, the Snowflake Connector for .NET, is vulnerable to command injection prior to version 2.0.18 via SSO URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in 1 establishing a malicious resource and 2 redirecti...
PYSEC-2023-88
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Versions prior to 3.0.2 are vulnerable to command injection via single sign-onSSO browser URL authentication. In order to exploit the...
CVE-2023-34230 Snowflake Connector vulnerable to Command Injection
snowflake-connector-net, the Snowflake Connector for .NET, is vulnerable to command injection prior to version 2.0.18 via SSO URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in 1 establishing a malicious resource and 2 redirecti...
CVE-2023-34230
CVE-2023-34230 affects the Snowflake Connector for .NET (snowflake-connector-net) prior to version 2.0.18. The underlying issue is a command injection vulnerability via SSO URL authentication. An attacker would need to: (1) establish a malicious resource and (2) persuade a user to use a crafted c...
CVE-2023-34233 Snowflake Python Connector vulnerable to Command Injection
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Versions prior to 3.0.2 are vulnerable to command injection via single sign-onSSO browser URL authentication. In order to exploit the...
CVE-2023-34232 Snowflake NodeJS Driver vulnerable to Command Injection
snowflake-connector-nodejs, a NodeJS driver for Snowflake, is vulnerable to command injection via single sign on SSO browser URL authentication in versions prior to 1.6.21. In order to exploit the potential for command injection, an attacker would need to be successful in 1 establishing a malicio...
CVE-2023-34232
Snowflake NodeJS driver (snowflake-connector-nodejs) is vulnerable to command injection via Single Sign-On (SSO) browser URL authentication in versions before 1.6.21. The attack requires the attacker to host a malicious resource and Trick a user into visiting a crafted connection URL; if successf...
Command injection
gosnowflake is th Snowflake Golang driver. Prior to version 1.6.19, a command injection vulnerability exists in the Snowflake Golang driver via single sign-on SSO browser URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in 1...
CVE-2023-34231
CVE-2023-34231 affects the Snowflake Go driver (gosnowflake) prior to version 1.6.19. The vulnerability is a command-injection flaw in the SSO browser URL authentication flow, allowing a remote attacker to execute commands on the user’s machine if the attacker first hosts a malicious resource and...