CVE-2026-3293
- Source
- https://cve.org/CVERecord?id=CVE-2026-3293
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3293.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-3293
- Aliases
- Published
- 2026-02-27T06:18:00.250Z
- Modified
- 2026-03-03T01:23:55.380657Z
- Severity
-
- 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- [none]
- Details
-
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can lead to inefficient regular expression complexity. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5fb0a8a318a2ed87f4022a1f56e742424ba94052. A patch should be applied to remediate this issue.
- References
-
- https://github.com/snowflakedb/snowflake-jdbc/
- https://snowflakecomputing.atlassian.net/browse/SNOW-3104251
- https://vuldb.com/?ctiid.348035
- https://vuldb.com/?id.348035
- https://vuldb.com/?submit.760428
- https://github.com/snowflakedb/snowflake-jdbc/issues/2505
- https://github.com/snowflakedb/snowflake-jdbc/issues/2505#issue-3951994646
- https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052
Affected packages
Git / github.com/snowflakedb/snowflake-jdbc
Affected ranges
- Type
- GIT
- Repo
- https://github.com/snowflakedb/snowflake-jdbc
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
3.*
3.13.21
3.13.22
v3.*
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.19
v3.0.20
v3.0.21
v3.1.0
v3.1.1
v3.10.0
v3.10.1
v3.10.2
v3.10.3
v3.11.0
v3.11.1
v3.12.0
v3.12.1
v3.12.11
v3.12.12
v3.12.14
v3.12.16
v3.12.2
v3.12.3
v3.12.4
v3.12.5
v3.12.6
v3.12.7
v3.12.9
v3.13.0
v3.13.1
v3.13.10
v3.13.12
v3.13.13
v3.13.14
v3.13.15
v3.13.16
v3.13.17
v3.13.18
v3.13.19
v3.13.2
v3.13.20
v3.13.21
v3.13.22
v3.13.23
v3.13.24
v3.13.25
v3.13.26
v3.13.27
v3.13.28
v3.13.29
v3.13.3
v3.13.30
v3.13.31
v3.13.32
v3.13.33
v3.13.4
v3.13.5
v3.13.6
v3.13.7
v3.13.8
v3.13.9
v3.14.0
v3.14.1
v3.14.2
v3.14.3
v3.14.4
v3.14.5
v3.15.0
v3.15.1
v3.16.0
v3.16.1
v3.17.0
v3.18.0
v3.19.0
v3.19.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.20.0
v3.21.0
v3.22.0
v3.23.0
v3.23.1
v3.23.2
v3.24.0
v3.24.1
v3.24.2
v3.25.0
v3.25.1
v3.26.0
v3.26.1
v3.27.0
v3.27.1
v3.28.0
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.5.0
v3.5.2
v3.5.3
v3.5.4
v3.5.5
v3.6.0
v3.6.1
v3.6.10
v3.6.11
v3.6.12
v3.6.13
v3.6.14
v3.6.15
v3.6.16
v3.6.17
v3.6.18
v3.6.19
v3.6.2
v3.6.20
v3.6.21
v3.6.23
v3.6.24
v3.6.25
v3.6.26
v3.6.27
v3.6.28
v3.6.3
v3.6.4
v3.6.5
v3.6.6
v3.6.7
v3.6.8
v3.6.9
v3.7.0
v3.7.1
v3.7.2
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.8.6
v3.8.7
v3.8.8
v3.9.0
v3.9.1
v3.9.2
v4.*
v4.0.0
v4.0.1
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3293.json"
vanir_signatures
[
{
"digest": {
"line_hashes": [
"98477693419740486826957712217348434359",
"82388752944632142785033502266428954884",
"124187988953323007130402207391848211131",
"186474993618274287299012386049079391010",
"312312646365527404322896914180135652174",
"325549038367075644367925509952329109689",
"255399039998199395672082696711991477408",
"305065649275694115474792943262349361564",
"226912659264888484392334000460825646972",
"303937938665113039074778954084716776373",
"250746230361507854005867227835033378554"
],
"threshold": 0.9
},
"id": "CVE-2026-3293-27c40f46",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/net/snowflake/client/internal/jdbc/cloud/storage/S3HttpUtil.java"
},
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"244885537023776184185850032438339177370",
"259257079859437770703724871545529669461",
"248514767577989779532161164871408817789",
"2344940727235823154021134846492701899",
"62223394440168849998075205707702081178",
"197662254873979553785719445802126658586"
],
"threshold": 0.9
},
"id": "CVE-2026-3293-2ea531a3",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/net/snowflake/client/internal/jdbc/SnowflakeUtil.java"
},
"signature_type": "Line"
},
{
"digest": {
"length": 586.0,
"function_hash": "162083954738160326919084260320140183570"
},
"id": "CVE-2026-3293-4fc178ed",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/test/java/net/snowflake/client/internal/core/CoreUtilsMiscellaneousTest.java",
"function": "testSetProxyForS3"
},
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"270357572742548676711794138946533381790",
"83061727286661362197141710829271203892",
"261708336061143522410073379744322435049",
"101381560256813163157404562199135006521",
"80291845650087338489093496899007967760",
"238917225933029533315058454618744900598",
"85764864249500544067776684157233737599",
"44859733766022032545935753252105822615",
"280126830185301262223118235189602261043",
"137404141965600136407332371881823715612",
"170183413106163612637332178491405078846",
"257572896659026778977038453223205331747",
"84966406784565192191916889214247519361"
],
"threshold": 0.9
},
"id": "CVE-2026-3293-6db9c10e",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java"
},
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"150710249330310319602641167446527212744",
"151705557009477574602708845980076947144",
"142165455434711837628968605479515531423",
"251642673546880200507634366932168080229",
"118094635487905400785470259686636751021",
"155144157007750112799759935374567710352",
"310248221038735491443397475586103783242",
"330835924449485393715332068290496523197",
"40367210223239733107076327772486694043",
"46870592939078356281597760051405846482",
"256237840331900433633737684571292910295",
"57746455630195880778545432187230440095",
"15421140975661073386763218650279415313"
],
"threshold": 0.9
},
"id": "CVE-2026-3293-7f5ca82d",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/test/java/net/snowflake/client/internal/jdbc/cloud/storage/S3HttpUtilTest.java"
},
"signature_type": "Line"
},
{
"digest": {
"length": 1034.0,
"function_hash": "164022317159229063471411955943676374916"
},
"id": "CVE-2026-3293-80fdce99",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/test/java/net/snowflake/client/internal/core/CoreUtilsMiscellaneousTest.java",
"function": "testSetSessionlessProxyForS3"
},
"signature_type": "Function"
},
{
"digest": {
"length": 205.0,
"function_hash": "212188797323627659532858199722420038941"
},
"id": "CVE-2026-3293-8ddd8972",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java",
"function": "doesTargetMatchNonProxyHosts"
},
"signature_type": "Function"
},
{
"digest": {
"length": 607.0,
"function_hash": "6415393895239304249452756048568119583"
},
"id": "CVE-2026-3293-9432db27",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/test/java/net/snowflake/client/internal/jdbc/cloud/storage/S3HttpUtilTest.java",
"function": "prepareNonProxyHostsTestCases"
},
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"114805082251890104209774913076037701341",
"191216990538631794879668905007936200433",
"156181153140679460160061997505940707198",
"335786612396799193435577907368969365596",
"109560459784957183176816434909804887422",
"105655916224379560598219147910901223032",
"326046831149279907346844644442998723790",
"328663136170513646991356051206978487317",
"921720447972886077079655900905063401",
"329348859725081781053793841882930040821",
"25544083745999560938392007781416526847",
"6402617495146098457159209828566960693",
"155439255938143818536333288647132838617",
"336542424055428736233847952352198324978",
"97636490484108858435893484896376884816",
"285979680249187108709602120919795918076",
"219988266070240389265377887328453371784",
"20794298670793229839957562909308092696",
"69971968675305519773757264488910715309"
],
"threshold": 0.9
},
"id": "CVE-2026-3293-ad4b0f1b",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/test/java/net/snowflake/client/internal/core/CoreUtilsMiscellaneousTest.java"
},
"signature_type": "Line"
},
{
"digest": {
"length": 280.0,
"function_hash": "53846128629043549939252682252254124420"
},
"id": "CVE-2026-3293-bfd05e4b",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/net/snowflake/client/internal/jdbc/diagnostic/ProxyConfig.java",
"function": "isBypassProxy"
},
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"249892423620943439165192050413885334576",
"199517825183868670158416618476079049363",
"201236737985784119931768373690989401134",
"327738433469571815560471684997036710823",
"171017120323870890205729113047410341871",
"162289490563098829921417209240337486974",
"274909432296768964931121450137421335887",
"18013210919410997390425341677738975191",
"245703041486866393713999441225590272787",
"102895572505141119349585122079311348797",
"181286707581312634379846071860272329591"
],
"threshold": 0.9
},
"id": "CVE-2026-3293-cf6239fd",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/net/snowflake/client/internal/jdbc/diagnostic/ProxyConfig.java"
},
"signature_type": "Line"
},
{
"digest": {
"length": 482.0,
"function_hash": "238493824841700870031192054612929701804"
},
"id": "CVE-2026-3293-dbbb85e3",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java",
"function": "SdkProxyRoutePlanner"
},
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"52958290255638170744996982182790335764",
"257685468733477514644991889620029075212",
"295129759006749846717359642063827907330",
"105627018127337416567263568606718225783",
"247685854067005265290484853983130158715",
"311438997209130607952391071934850312886",
"17308007655812458356458926882025424010"
],
"threshold": 0.9
},
"id": "CVE-2026-3293-e319ca63",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/test/java/net/snowflake/client/internal/jdbc/SnowflakeUtilTest.java"
},
"signature_type": "Line"
},
{
"digest": {
"length": 257.0,
"function_hash": "165183501062252587114589756144728407522"
},
"id": "CVE-2026-3293-f2e95ebb",
"source": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/net/snowflake/client/internal/jdbc/cloud/storage/S3HttpUtil.java",
"function": "prepareNonProxyHosts"
},
"signature_type": "Function"
}
]