脆弱性情報
高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Snowflake CLI Server-Side Request Forgery via Arbitrary URL Fetch in !source/!load
脆弱性説明
Improper handling of untrusted remote references in Snowflake CLI versions prior to 3.19 allowed server-side request forgery. The SQL statement reader's !source/!load directives could reference remote URLs that were retrieved at runtime without sufficient restriction on the request destination. By supplying crafted SQL content processed through a vulnerable command path, an attacker could cause the victim's environment to issue unintended outbound requests to internal or otherwise non-public network locations, and could cause remote SQL content to be retrieved and executed in the context of the victim user's session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges available to that session and environment. The fix is available in Snowflake CLI version 3.19, which adds an option to disable remote URL retrieval.
CVSS情報
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
脆弱性タイプ
服务端请求伪造(SSRF)
脆弱性タイトル
Snowflake CLI 软件供应链问题漏洞
脆弱性説明
Snowflake CLI是美国Snowflake公司的一个命令行工具,用于管理云计算环境中的数据仓库任务。 Snowflake CLI 3.19.0之前版本存在安全漏洞,该漏洞源于对不受信任的远程引用处理不当,导致服务器端请求伪造。SQL语句读取器的!source/!load指令可引用运行时所检索的远程URL,且对请求目标限制不足。通过提供经脆弱命令路径处理的恶意SQL内容,攻击者可导致受害者环境向内部或非公开网络位置发起非预期出站请求,并可在受害者用户会话环境中检索和执行远程SQL内容。
CVSS情報
N/A
脆弱性タイプ
N/A