Synopsis
Snowflake Hive MetaStore Connector has addressed a potential elevation of privilege vulnerability in a helper script for the Hive MetaStore Connector. The vulnerability in the script was patched on February 09, 2024, without a version bump to the Connector.
1. Impacted Products
Helper script for the Snowflake Hive MetaStore Connector.
2. Introduction
On February 09, 2024, Snowflake patched a potential elevation of privilege vulnerability in the helper script. We recommend using the latest version available here. No action is required if you are not using the helper script.
3. Elevation of Privilege Vulnerability
3.1 Description
Snowflake was informed through our bug bounty program of a potential elevation of privilege vulnerability in a script made available by Snowflake for the Hive MetaStore Connector. The vulnerability has been evaluated to have a medium severity with a maximum CVSSv3 base score of 4.0.
3.2 Scenarios and attack vector(s)
A malicious insider without admin privileges could, in theory, use the script to download content from a Microsoft domain to the local system and replace the valid content with malicious code. If the attacker then also had local access to the same system where the maliciously modified script is run, they could attempt to manipulate users into executing the attacker-controlled helper script, potentially gaining elevated privileges to the local system.
3.3 Our response
On February 8, 2024 Gee-netics (https://hackerone.com/gee-netics) reported the issue to Snowflake via our bug bounty program. On February 9, 2024, Snowflake released a patch for the helper script for the Hive MetaStore Connector.
3.4 Resolution
We strongly advise users who use the helper script to use the latest version as soon as possible.
4. Contact
If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.
Synopsis
Snowflake Hive MetaStore Connector has addressed a potential elevation of privilege vulnerability in a helper script for the Hive MetaStore Connector. The vulnerability in the script was patched on February 09, 2024, without a version bump to the Connector.
1. Impacted Products
Helper script for the Snowflake Hive MetaStore Connector.
2. Introduction
On February 09, 2024, Snowflake patched a potential elevation of privilege vulnerability in the helper script. We recommend using the latest version available here. No action is required if you are not using the helper script.
3. Elevation of Privilege Vulnerability
3.1 Description
Snowflake was informed through our bug bounty program of a potential elevation of privilege vulnerability in a script made available by Snowflake for the Hive MetaStore Connector. The vulnerability has been evaluated to have a medium severity with a maximum CVSSv3 base score of 4.0.
3.2 Scenarios and attack vector(s)
A malicious insider without admin privileges could, in theory, use the script to download content from a Microsoft domain to the local system and replace the valid content with malicious code. If the attacker then also had local access to the same system where the maliciously modified script is run, they could attempt to manipulate users into executing the attacker-controlled helper script, potentially gaining elevated privileges to the local system.
3.3 Our response
On February 8, 2024 Gee-netics (https://hackerone.com/gee-netics) reported the issue to Snowflake via our bug bounty program. On February 9, 2024, Snowflake released a patch for the helper script for the Hive MetaStore Connector.
3.4 Resolution
We strongly advise users who use the helper script to use the latest version as soon as possible.
4. Contact
If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.