Snowflake JDBC allows an untrusted search path on Windows
Description
Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake JDBC Driver. When the EXTERNALBROWSER authentication method is used on Windows, an attacker with write access to a directory in the %PATH% can escalate their privileges to the user that runs the vulnerable JDBC Driver version. This vulnerability affects versions 3.2.3 through 3.21.0 on Windows. Snowflake fixed the issue in version 3.22.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.snowflake:snowflake-jdbcMaven | >= 3.2.3, < 3.22.0 | 3.22.0 |
Affected products
1- Range: >= 3.2.3, < 3.22.0
Patches
14f01bb8f9b70SNOW-1708383: Fix opening external browser on win (#2053)
2 files changed · +15 −16
.pre-commit-config.yaml+1 −1 modified@@ -1,5 +1,5 @@ repos: - repo: git@github.com:snowflakedb/casec_precommit.git - rev: v1.11 + rev: v1.35.5 hooks: - id: secret-scanner
src/main/java/net/snowflake/client/core/SessionUtilExternalBrowser.java+14 −15 modified@@ -6,6 +6,7 @@ import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.google.common.base.Strings; +import java.awt.Desktop; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; @@ -69,24 +70,22 @@ public HttpPost build(URI uri) { @Override public void openBrowser(String ssoUrl) throws SFException { + if (!URLUtil.isValidURL(ssoUrl)) { + throw new SFException(ErrorCode.INVALID_CONNECTION_URL, "Invalid SSOUrl found - " + ssoUrl); + } try { // start web browser - if (!URLUtil.isValidURL(ssoUrl)) { - throw new SFException( - ErrorCode.INVALID_CONNECTION_URL, "Invalid SSOUrl found - " + ssoUrl); - } - if (java.awt.Desktop.isDesktopSupported()) { - URI uri = new URI(ssoUrl); - java.awt.Desktop.getDesktop().browse(uri); + Runtime runtime = Runtime.getRuntime(); + Constants.OS os = Constants.getOS(); + if (Desktop.isDesktopSupported() + && Desktop.getDesktop().isSupported(Desktop.Action.BROWSE)) { + Desktop.getDesktop().browse(new URI(ssoUrl)); + } else if (os == Constants.OS.MAC) { + runtime.exec("open " + ssoUrl); + } else if (os == Constants.OS.WINDOWS) { + runtime.exec(new String[] {"rundll32", "url.dll,FileProtocolHandler", ssoUrl}); } else { - Runtime runtime = Runtime.getRuntime(); - Constants.OS os = Constants.getOS(); - if (os == Constants.OS.MAC) { - runtime.exec("open " + ssoUrl); - } else { - // linux? - runtime.exec("xdg-open " + ssoUrl); - } + runtime.exec("xdg-open " + ssoUrl); } } catch (URISyntaxException | IOException ex) { throw new SFException(ex, ErrorCode.NETWORK_ERROR, ex.getMessage());
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7hpq-3g6w-pvhfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-24789ghsaADVISORY
- github.com/snowflakedb/snowflake-jdbc/commit/4f01bb8f9b708c71e7a2111c87371dbfc1d53dd6ghsax_refsource_MISCWEB
- github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-7hpq-3g6w-pvhfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.