CVE-2025-24795: Snowflake Connector for Python Temporary Credential Caching Vulnerability and Remediation

The Snowflake Connector for Python is a popular and widely used library for integrating Python applications with the Snowflake platform. It offers robust features that enable Python developers to establish connections to Snowflake, and execute various database operations such as querying, loading/unloading of data, and more.

Snowflake acknowledged and addressed a security vulnerability that was present in the Snowflake Connector for Python. The vulnerability revolves around temporary credential caching on Linux-based systems. The caching process could lead to a potential information leak as the temporary credentials stored in the cache file were accessible to every user on the system.

Affected Versions

The vulnerability is present in Snowflake Connector for Python versions 2.3.7 to 3.13.. Snowflake has since resolved this issue in version 3.13.1.

Detailed Exploit Description

The vulnerability comes into play when the Snowflake Connector for Python is used on a Linux-based system with temporary credential caching enabled. Due to improper file permissions, cached temporary credentials end up being stored in a world-readable file. By accessing this file, unauthorized users may obtain sensitive information thereby posing a threat to data security.

To further illustrate this, here's a sample code snippet utilizing the Snowflake Connector for Python:

import snowflake.connector

# Connect to Snowflake using the user's credentials
connection = snowflake.connector.connect(
    user="username",
    password="password",
    account="account_name",
    warehouse="warehouse_name",
    database="database_name",
    schema="schema_name"
)

# Perform data operations
# ...

# Close the connection
connection.close()

In the sample code above, the user connects to Snowflake utilizing their credentials. During execution, if temporary credential caching is enabled, the Snowflake connector creates a cache file containing the user's temporary credentials. Due to the file permissions issue, any authenticated user on the system could potentially read the contents of this file thereby exposing sensitive information.

Mitigation

To mitigate this vulnerability, users are strongly advised to upgrade their Snowflake Connector for Python package to version 3.13.1 or later. The updated package addresses the issue by setting the correct file permissions when caching temporary credentials. You can easily upgrade your package using pip:

pip install --upgrade snowflake-connector-python

In addition to the package upgrade, it is also recommended to audit your system and verify if any world-readable cache files containing temporary credentials exist. If you find any files with improper permissions, please remove them or change the permissions to restrict access.

Conclusion

Snowflake has taken swift action to resolve the vulnerability in the Snowflake Connector for Python by releasing version 3.13.1. To ensure the security of your data, it is highly recommended to update your package and check your system for any cache files with improper permissions.

Original References

* Snowflake Connector for Python Documentation
* Snowflake Security Advisory

Timeline

Published on: 01/29/2025 21:15:21 UTC