Impact
The Snowflake datasource in Grafana implements GET and PUT commands that allow a user who can run queries to read or write files between the local Grafana server and the Snowflake host. An attacker with query permissions can therefore read arbitrary files or overwrite system files on the Grafana server, which can lead to privilege escalation or disruption of services.
Affected Systems
The Grafana Snowflake Datasource component is affected. No specific product versions are listed in the advisory; any installation of the datasource that is still unpatched is considered vulnerable.
Risk and Exploitability
The CVSS score of 9.6 indicates a high severity risk. EPSS is not reported, and the vulnerability is not yet in the CISA KEV catalog. An attacker needs to have the ability to execute queries against the datasource; once that privilege is available, the GET/PUT commands can be used to read or write local files without restriction, making exploitation straightforward for a user with sufficient query access.
OpenCVE Enrichment