CVE-2025-24790
📋 TL;DR
The Snowflake JDBC Driver vulnerability allows local users on Linux systems to read cached temporary credentials from a world-readable file when temporary credential caching is enabled. This affects Java applications using Snowflake JDBC Driver versions 3.6.8 through 3.21.0 on Linux. The vulnerability exposes database credentials to unauthorized local users.
💻 Affected Systems
- Snowflake JDBC Driver
📦 What is this software?
Snowflake Jdbc by Snowflake
⚠️ Risk & Real-World Impact
Worst Case
Local attackers gain access to Snowflake database credentials, potentially leading to unauthorized data access, data exfiltration, or privilege escalation within the database.
Likely Case
Local users or compromised accounts on the same system can read cached credentials and access the Snowflake database with the permissions of the cached account.
If Mitigated
With proper file permissions and access controls, only authorized users can access the credential cache file, limiting exposure.
🎯 Exploit Status
Exploitation requires local access to the Linux system and the temporary credential caching feature to be enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.22.0
Vendor Advisory: https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-33g6-495w-v8j2
Restart Required: Yes
Instructions:
1. Update Snowflake JDBC Driver to version 3.22.0 or later. 2. Update dependency in your Java project (Maven: <version>3.22.0</version>, Gradle: version '3.22.0'). 3. Rebuild and redeploy your application. 4. Restart any running applications using the JDBC driver.
🔧 Temporary Workarounds
Disable Temporary Credential Caching
allDisable the temporary credential caching feature to prevent credential files from being created.
Set JDBC connection parameter: temporary_credential_cache_enabled=false
Secure Credential Cache File Permissions
linuxManually set restrictive permissions on the credential cache file if temporary caching must remain enabled.
chmod 600 /tmp/snowflake_credential_cache_*
chown <user>:<group> /tmp/snowflake_credential_cache_*
🧯 If You Can't Patch
- Disable temporary credential caching in JDBC connection parameters.
- Implement strict file system permissions and access controls on systems running the JDBC driver.
🔍 How to Verify
Check if Vulnerable:
Check if using Snowflake JDBC Driver version 3.6.8 through 3.21.0 on Linux with temporary credential caching enabled. Look for world-readable files in /tmp matching pattern 'snowflake_credential_cache_*'.Check Version:
Check Maven/Gradle dependencies or run: java -cp snowflake-jdbc.jar snowflake.client.jdbc.SnowflakeDriver --versionVerify Fix Applied:
Verify JDBC driver version is 3.22.0 or later. Confirm no world-readable credential cache files exist in /tmp.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts from unexpected IPs or users
- Unusual database queries or access patterns
Network Indicators:
- Database connections from unauthorized systems or users
SIEM Query:
source="/tmp/snowflake_credential_cache_*" AND (permissions="rw-r--r--" OR permissions="world-readable")