VDB

CVE-2025-24794

CVE-2025-24794 PUBLISHED CVSS 6.699999809265137 MEDIUM

### Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. The OCSP response cache uses pickle as the serialization format, potentially leading to local privilege escalation. This vulnerability affects versions 2.7.12 through 3.13.0. Snowflake fixed the issue in version 3.13.1. ### Vulnerability Details The OCSP response cache is saved locally on the machine running the Connector using the pickle serialization format. This can potentially lead to local privilege escalation if an attacker has write access to the OCSP response cache file. ### Solution Snowflake released version 3.13.1 of the Snowflake Connector for Python, which fixes this issue. We recommend users upgrade to version 3.13.1. ### Additional Information If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).

EPSS 0.13% · 32.1th percentile

Risk Scores

CVSS v3.1
6.699999809265137
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.13%
32.1th percentile

Affected Products

VendorProductVersions
snowflakesnowflake_connector2.7.12
PyPIsnowflake-connector-python2.7.12
snowflakedbsnowflake-connector-python>= 2.7.12, < 3.13.1

Timeline

  • Jan 21, 1970 Security Advisory
  • Jan 29, 2025 CVE Published
  • Jan 29, 2025 Coalition ESS Score
  • Jan 29, 2025 PoC Published
  • Jan 29, 2025 PoC Published
  • Jan 30, 2025 EPSS Score
  • Feb 14, 2025 EPSS Score
  • Feb 22, 2025 Coalition ESS Score
  • Mar 1, 2025 EPSS Score
  • Mar 16, 2025 EPSS Score
  • Mar 31, 2025 EPSS Score
  • Apr 15, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›