CVE-2025-3717
📋 TL;DR
This vulnerability in the Grafana Snowflake Datasource Plugin allows user identifier confusion when OAuth passthrough is enabled and multiple users access the same datasource simultaneously. This can lead to unauthorized data exposure where users see Snowflake data belonging to other users. Organizations using affected plugin versions with OAuth passthrough enabled are at risk.
💻 Affected Systems
- Grafana Snowflake Datasource Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive Snowflake data belonging to one user is exposed to unauthorized users, potentially including personally identifiable information, financial data, or proprietary business intelligence.
Likely Case
Users intermittently see incorrect data from other users' Snowflake queries, leading to data leakage and potential compliance violations.
If Mitigated
With proper access controls and monitoring, impact is limited to occasional data display errors that are quickly detected and contained.
🎯 Exploit Status
Exploitation requires authenticated access to Grafana and specific configuration conditions. The vulnerability manifests during concurrent user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.14.1
Vendor Advisory: https://grafana.com/security/security-advisories/cve-2025-3717/
Restart Required: Yes
Instructions:
1. Update Grafana Snowflake Datasource Plugin to version 1.14.1 or later. 2. Restart Grafana service. 3. Verify plugin version in Grafana UI under Configuration > Plugins.
🔧 Temporary Workarounds
Disable OAuth Passthrough
allTemporarily disable OAuth passthrough on Snowflake datasource configurations until patching is complete.
Edit each Snowflake datasource configuration in Grafana UI and disable OAuth passthrough option
Limit Concurrent Access
allImplement user access scheduling or limit concurrent users per datasource to reduce exploitation window.
Configure Grafana user permissions to restrict simultaneous access to critical datasources
🧯 If You Can't Patch
- Disable OAuth passthrough on all Snowflake datasources immediately
- Implement strict user access controls and monitor for unusual data access patterns
🔍 How to Verify
Check if Vulnerable:
Check plugin version in Grafana UI under Configuration > Plugins > Snowflake Datasource. If version is between 1.5.0 and 1.14.0 (excluding 1.14.1) and OAuth passthrough is enabled, the system is vulnerable.Check Version:
Check Grafana UI: Configuration > Plugins > Snowflake Datasource, or check plugin directory: ls /var/lib/grafana/plugins/grafana-snowflake-datasource/Verify Fix Applied:
Verify plugin version is 1.14.1 or higher in Grafana UI and test concurrent user access to Snowflake datasources with OAuth passthrough enabled.📡 Detection & Monitoring
Log Indicators:
- Multiple user sessions accessing same Snowflake datasource simultaneously
- User complaints about seeing incorrect data
- Authentication context switching in logs
Network Indicators:
- Unusual query patterns to Snowflake from Grafana instance
- Multiple user credentials being passed through single OAuth session
SIEM Query:
source="grafana" AND ("snowflake" OR "datasource") AND ("concurrent" OR "multiple users") AND ("oauth" OR "passthrough")