CVE ID
- CVE-2025-24788 - Files downloaded from stages are temporarily placed in a world-readable local directory on Linux and macOS, accessible to unauthorized local users.
CWE ID
- CWE-276 (Incorrect Default Permissions)
CPEs
- cpe:2.3:a:snowflake:snowflake_connector:*:*:*:*:*:.net:*:* (versions >= 2.0.12, < 4.3.0)
Affected versions
- 2.0.12 through 4.2.0 (Linux/macOS)
Patched versions:
- 4.3.0
Description
- snowflake-connector-net is the Snowflake Connector for .NET. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET in which files downloaded from stages are temporarily placed in a world-readable local directory, making them accessible to unauthorized users on the same machine. This vulnerability affects versions 2.0.12 through 4.2.0 on Linux and macOS. Snowflake fixed the issue in version
