Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-717483: Safety (pyup.io) reports vulnerability in the dependent snowflake-connector-python library #367

Closed
pjoshiAF opened this issue Dec 19, 2022 · 2 comments
Closed

SNOW-717483: Safety (pyup.io) reports vulnerability in the dependent snowflake-connector-python library #367

pjoshiAF opened this issue Dec 19, 2022 · 2 comments
Labels
status-triage_done Initial triage done, will be further handled by the driver team

Comments

@pjoshiAF
Copy link

pjoshiAF commented Dec 19, 2022
edited
Loading

Can we update the snowflake-connector-python version that fixes the following issue reported by safety?

  -> Vulnerability found in snowflake-connector-python version 2.7.7
   Vulnerability ID: 51802
   Affected spec: <2.8.2
   ADVISORY: Snowflake-connector-python 2.8.2 includes a fix for
   CVE-2022-42965: An exponential ReDoS (Regular Expression Denial of Service)
   can be triggered in the snowflake-connector-python PyPI package, when an
   attacker is able to supply arbitrary input to the undocumented
   get_file_transfer_type method.
   CVE-2022-42965
   For more information, please visit https://pyup.io/v/51802/f17
@github-actions github-actions bot changed the title Safety (pyup.io) reports vulnerability in the dependent snowflake-connector-python library SNOW-717483: Safety (pyup.io) reports vulnerability in the dependent snowflake-connector-python library Dec 19, 2022
@sfc-gh-aling
Copy link
Collaborator

@pjoshiAF yes, please feel free to upgrade to the latest connector version 2.9.0 which includes the fix via pip install --upgrade snowflake-connector-python.

let me know if there's an issue you run into with the upgrade

@sfc-gh-dszmolka sfc-gh-dszmolka added the status-triage_done Initial triage done, will be further handled by the driver team label Mar 15, 2024
@sfc-gh-dszmolka
Copy link

was fixed 1.5 years ago and not an issue with snowflake-sqlalchemy but instead the PythonConnector, marking this issue as closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status-triage_done Initial triage done, will be further handled by the driver team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sfc-gh-dszmolka @pjoshiAF @sfc-gh-aling