CVE-2025-24795 MEDIUM

CVE-2025-24795: The Snowflake Connector for Python uses insecure cache files permissions

Vendor Snowflakedb

Product snowflake-connector-python

Weakness CWE-276

Published January 29, 2025

Last update January 31, 2025

View on NVD All CVEs

CVSS base score

4.4/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

Description

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. On Linux systems, when temporary credential caching is enabled, the Snowflake Connector for Python will cache temporary credentials locally in a world-readable file. This vulnerability affects versions 2.3.7 through 3.13.0. Snowflake fixed the issue in version 3.13.1.

Key dates

Disclosure timeline

January 29, 2025 CVE published

January 31, 2025 Record updated

Identifiers

CVE CVE-2025-24795

CWE CWE-276

CVSS 4.4 / MEDIUM

Affected versions

Vendor Snowflakedb

Product snowflake-connector-python

Affected >= 2.3.7, < 3.13.1