CVE-2022-42965
ReDoS vulnerability in snowflake-connector-python (PyPI)
What is CVE-2022-42965 About?
This vulnerability is an exponential Regular Expression Denial of Service (ReDoS) in the snowflake-connector-python PyPI package. It can lead to a denial of service, making the application unresponsive. Exploitation is possible when an attacker can control input to a specific method and is relatively easy.
Affected Software
Technical Details
The vulnerability resides within the get_file_transfer_type method of the snowflake-connector-python PyPI package. An attacker can craft a malicious input string that, when processed by a vulnerable regular expression within this method, causes the regular expression engine to enter a state of exponential backtracking. This excessive computation consumes significant CPU resources, leading to a Denial of Service condition on the affected system.
What is the Impact of CVE-2022-42965?
Successful exploitation may allow attackers to cause a denial of service, leading to system unresponsiveness or crashes.
What is the Exploitability of CVE-2022-42965?
Exploitation of this ReDoS vulnerability is of moderate complexity. It requires an attacker to be able to supply arbitrary input to the get_file_transfer_type method. Authentication and privilege requirements are dependent on the application's implementation and how this method is exposed; if accessible via unauthenticated or low-privileged network requests, the risk increases significantly. This is likely a remote exploit if the input can be controlled via network requests. The primary risk factor is the public exposure of any functionality that passes untrusted user input to the vulnerable method.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-42965?
Available Upgrade Options
- snowflake-connector-python
- <2.8.2 → Upgrade to 2.8.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-42965
- https://research.jfrog.com/vulnerabilities/snowflake-connector-python-redos-xray-257185/
- https://github.com/snowflakedb/snowflake-connector-python
- https://github.com/snowflakedb/snowflake-connector-python/commit/b9d2fc789fae4db865dde3d2a1bd72c8a9eab091
- https://research.jfrog.com/vulnerabilities/snowflake-connector-python-redos-xray-257185
- https://osv.dev/vulnerability/GHSA-4r6j-fwcx-94cf
- https://github.com/snowflakedb/snowflake-connector-python/pull/1327
- https://github.com/snowflakedb/snowflake-connector-python/releases/tag/v2.8.2
What are Similar Vulnerabilities to CVE-2022-42965?
Similar Vulnerabilities: CVE-2022-39353 , CVE-2022-40896 , CVE-2023-24807 , CVE-2020-8174 , CVE-2020-28168
