Impact
Improper neutralization of parameters in Snowflake CLI versions prior to 3.19 allows an attacker to inject and execute arbitrary SQL commands when vulnerable command paths are invoked. The injected SQL runs under the privileges of the active Snowflake session, so the impact is bounded by those privileges but could include data exfiltration, modification, or denial of service within the user’s workspace.
Affected Systems
The vulnerability affects Snowflake CLI products before version 3.19. Users running any earlier release of the Snowflake command‑line interface are exposed and should investigate whether they are operating from that older binary.
Risk and Exploitability
With a CVSS score of 6, the flaw is considered medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly reported exploits at this time. Exploitation requires an attacker to supply crafted input through the CLI, typically via socially engineered command usage, malicious repository configuration, or compromised automation scripts that inject untrusted values into the CLI. Successful exploitation is possible only if the attacker can influence the command parameters, so limiting exposure to trusted inputs mitigates risk.
OpenCVE Enrichment