Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    12 vulnerabilities by Snow Software

    CVE-2024-1150 (GCVE-0-2024-1150)

    Vulnerability from nvd – Published: 2024-02-08 13:06 – Updated: 2024-08-01 18:26
    VLAI
    Title
    Improper validation of update packages
    Summary
    Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software Inventory Agent Affected: 0 , ≤ 7.3.1 (custom)
    Create a notification for this product.
    Date Public
    2024-02-08 12:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1150",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-22T14:56:07.795534Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T18:01:07.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:26:30.515Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Unix"
              ],
              "product": "Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-02-08T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.\u003cp\u003eThis issue affects Inventory Agent: through 7.3.1.\u003c/p\u003e"
                }
              ],
              "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-165",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-165 File Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347 Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-08T13:06:16.747Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper validation of update packages",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2024-1150",
        "datePublished": "2024-02-08T13:06:16.747Z",
        "dateReserved": "2024-02-01T09:47:52.460Z",
        "dateUpdated": "2024-08-01T18:26:30.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-1149 (GCVE-0-2024-1149)

    Vulnerability from nvd – Published: 2024-02-08 13:01 – Updated: 2025-05-15 19:40
    VLAI
    Title
    Improper validation of update packages
    Summary
    Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Date Public
    2024-02-08 12:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:26:30.511Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1149",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T15:45:43.042291Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-15T19:40:41.899Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "MacOS"
              ],
              "product": "Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "6.12.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "6.14.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-02-08T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.\u003cp\u003eThis issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-165",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-165 File Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347 Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-08T13:01:03.806Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper validation of update packages",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2024-1149",
        "datePublished": "2024-02-08T13:01:03.806Z",
        "dateReserved": "2024-02-01T09:47:48.899Z",
        "dateUpdated": "2025-05-15T19:40:41.899Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-7169 (GCVE-0-2023-7169)

    Vulnerability from nvd – Published: 2024-02-08 12:59 – Updated: 2024-08-02 08:50
    VLAI
    Title
    Impersonate vendor signed Powershell scripts
    Summary
    Authentication Bypass by Spoofing vulnerability in Snow Software Snow Inventory Agent on Windows allows Signature Spoof.This issue affects Snow Inventory Agent: through 6.14.5. Customers advised to upgrade to version 7.0
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software Snow Inventory Agent Affected: 0 , ≤ 6.14.5 (all version)
    Create a notification for this product.
    Date Public
    2024-02-08 12:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-7169",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-08T17:17:07.783606Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T17:20:45.622Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:08.262Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Snow Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "6.14.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "all version"
                }
              ]
            }
          ],
          "datePublic": "2024-02-08T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Authentication Bypass by Spoofing vulnerability in Snow Software Snow Inventory Agent on Windows allows Signature Spoof.\u003cp\u003eThis issue affects Snow Inventory Agent: through 6.14.5. Customers advised to upgrade to version 7.0\u003c/p\u003e"
                }
              ],
              "value": "Authentication Bypass by Spoofing vulnerability in Snow Software Snow Inventory Agent on Windows allows Signature Spoof.This issue affects Snow Inventory Agent: through 6.14.5. Customers advised to upgrade to version 7.0\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-473",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-473 Signature Spoof"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-08T12:59:40.731Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to version 7.0"
                }
              ],
              "value": "Upgrade to version 7.0"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Impersonate vendor signed Powershell scripts",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Validate all powershell scripts by public hashes\u0026nbsp;"
                }
              ],
              "value": "Validate all powershell scripts by public hashes\u00a0"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2023-7169",
        "datePublished": "2024-02-08T12:59:40.731Z",
        "dateReserved": "2023-12-29T09:26:41.449Z",
        "dateUpdated": "2024-08-02T08:50:08.262Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3937 (GCVE-0-2023-3937)

    Vulnerability from nvd – Published: 2023-08-11 11:28 – Updated: 2024-10-03 20:27
    VLAI
    Title
    Cross site scripting vulnerabilities in Snow License Manager
    Summary
    Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software Snow License Manager Affected: 9.0.0 , ≤ 9.30.1 (0)
    Create a notification for this product.
    Date Public
    2023-08-11 01:00
    Credits
    Can Doğu & Himanshu Giri
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.686Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3937",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-03T20:27:08.462859Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-03T20:27:22.370Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "x86",
                "64 bit",
                "32 bit"
              ],
              "product": "Snow License Manager",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "9.30.1",
                  "status": "affected",
                  "version": "9.0.0",
                  "versionType": "0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Can Do\u011fu \u0026 Himanshu Giri"
            }
          ],
          "datePublic": "2023-08-11T01:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser"
                }
              ],
              "value": "Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-11T13:53:50.811Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to SLM version 9.30.2"
                }
              ],
              "value": "Upgrade to SLM version 9.30.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Cross site scripting vulnerabilities in Snow License Manager",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2023-3937",
        "datePublished": "2023-08-11T11:28:30.185Z",
        "dateReserved": "2023-07-25T13:29:16.203Z",
        "dateUpdated": "2024-10-03T20:27:22.370Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3864 (GCVE-0-2023-3864)

    Vulnerability from nvd – Published: 2023-08-11 11:24 – Updated: 2024-10-09 19:13
    VLAI
    Title
    SQL injection vulnerability in Snow License Manager
    Summary
    Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software SLM Affected: 8.0.0 , ≤ 9.30.1 (0)
    Create a notification for this product.
    snowsoftware snow_license_manager Affected: 8.0.0 , ≤ 9.30.1 (custom)
        cpe:2.3:a:snowsoftware:snow_license_manager:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-11 13:00
    Credits
    Can Doğu
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.529Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:snowsoftware:snow_license_manager:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "snow_license_manager",
                "vendor": "snowsoftware",
                "versions": [
                  {
                    "lessThanOrEqual": "9.30.1",
                    "status": "affected",
                    "version": "8.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T19:10:50.874637Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T19:13:07.827Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "x86",
                "64 bit",
                "32 bit"
              ],
              "product": "SLM",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "9.30.1",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Can Do\u011fu"
            }
          ],
          "datePublic": "2023-08-11T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal."
                }
              ],
              "value": "Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-11T11:24:05.823Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to version 9.30.2 or if running 9.27.0 apply the hotfix 9.27.1"
                }
              ],
              "value": "Upgrade to version 9.30.2 or if running 9.27.0 apply the hotfix 9.27.1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SQL injection vulnerability in Snow License Manager",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2023-3864",
        "datePublished": "2023-08-11T11:24:05.823Z",
        "dateReserved": "2023-07-24T13:51:33.771Z",
        "dateUpdated": "2024-10-09T19:13:07.827Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2679 (GCVE-0-2023-2679)

    Vulnerability from nvd – Published: 2023-05-17 12:55 – Updated: 2025-03-05 18:59
    VLAI
    Title
    Data leakage in Adobe connector for SPE edition of SLM
    Summary
    Data leakage in Adobe connector in Snow Software SPE 9.27.0 on Windows allows privileged user to observe other users data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software SPE SLM Affected: 9.27.0 , < 9.30.0 (0)
    Create a notification for this product.
    Date Public
    2023-05-17 12:52
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:33:03.986Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D56M00009Ex9dySAB"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2679",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-05T18:36:59.400645Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-05T18:59:17.458Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Adobe Connector"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "SPE SLM",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThan": "9.30.0",
                  "status": "affected",
                  "version": "9.27.0",
                  "versionType": "0"
                }
              ]
            }
          ],
          "datePublic": "2023-05-17T12:52:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Data leakage in Adobe connector in Snow Software SPE 9.27.0 on Windows allows privileged user to observe other users data."
                }
              ],
              "value": "Data leakage in Adobe connector in Snow Software SPE 9.27.0 on Windows allows privileged user to observe other users data."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-17T12:56:03.381Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D56M00009Ex9dySAB"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHotfix is ready for 9.27.0, 9.27.1, 9.28.0 and 9.29.0. Will be included from 9.30.0\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Hotfix is ready for 9.27.0, 9.27.1, 9.28.0 and 9.29.0. Will be included from 9.30.0\n"
            }
          ],
          "source": {
            "discovery": "USER"
          },
          "title": "Data leakage in Adobe connector for SPE edition of SLM",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2023-2679",
        "datePublished": "2023-05-17T12:55:58.193Z",
        "dateReserved": "2023-05-12T09:08:48.538Z",
        "dateUpdated": "2025-03-05T18:59:17.458Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-1150 (GCVE-0-2024-1150)

    Vulnerability from cvelistv5 – Published: 2024-02-08 13:06 – Updated: 2024-08-01 18:26
    VLAI
    Title
    Improper validation of update packages
    Summary
    Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software Inventory Agent Affected: 0 , ≤ 7.3.1 (custom)
    Create a notification for this product.
    Date Public
    2024-02-08 12:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1150",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-22T14:56:07.795534Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T18:01:07.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:26:30.515Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Unix"
              ],
              "product": "Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-02-08T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.\u003cp\u003eThis issue affects Inventory Agent: through 7.3.1.\u003c/p\u003e"
                }
              ],
              "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-165",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-165 File Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347 Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-08T13:06:16.747Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper validation of update packages",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2024-1150",
        "datePublished": "2024-02-08T13:06:16.747Z",
        "dateReserved": "2024-02-01T09:47:52.460Z",
        "dateUpdated": "2024-08-01T18:26:30.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-1149 (GCVE-0-2024-1149)

    Vulnerability from cvelistv5 – Published: 2024-02-08 13:01 – Updated: 2025-05-15 19:40
    VLAI
    Title
    Improper validation of update packages
    Summary
    Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Date Public
    2024-02-08 12:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:26:30.511Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1149",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T15:45:43.042291Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-15T19:40:41.899Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "MacOS"
              ],
              "product": "Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "6.12.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "6.14.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-02-08T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.\u003cp\u003eThis issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-165",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-165 File Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347 Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-08T13:01:03.806Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper validation of update packages",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2024-1149",
        "datePublished": "2024-02-08T13:01:03.806Z",
        "dateReserved": "2024-02-01T09:47:48.899Z",
        "dateUpdated": "2025-05-15T19:40:41.899Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-7169 (GCVE-0-2023-7169)

    Vulnerability from cvelistv5 – Published: 2024-02-08 12:59 – Updated: 2024-08-02 08:50
    VLAI
    Title
    Impersonate vendor signed Powershell scripts
    Summary
    Authentication Bypass by Spoofing vulnerability in Snow Software Snow Inventory Agent on Windows allows Signature Spoof.This issue affects Snow Inventory Agent: through 6.14.5. Customers advised to upgrade to version 7.0
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software Snow Inventory Agent Affected: 0 , ≤ 6.14.5 (all version)
    Create a notification for this product.
    Date Public
    2024-02-08 12:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-7169",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-08T17:17:07.783606Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T17:20:45.622Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:08.262Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Snow Inventory Agent",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "6.14.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "all version"
                }
              ]
            }
          ],
          "datePublic": "2024-02-08T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Authentication Bypass by Spoofing vulnerability in Snow Software Snow Inventory Agent on Windows allows Signature Spoof.\u003cp\u003eThis issue affects Snow Inventory Agent: through 6.14.5. Customers advised to upgrade to version 7.0\u003c/p\u003e"
                }
              ],
              "value": "Authentication Bypass by Spoofing vulnerability in Snow Software Snow Inventory Agent on Windows allows Signature Spoof.This issue affects Snow Inventory Agent: through 6.14.5. Customers advised to upgrade to version 7.0\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-473",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-473 Signature Spoof"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-08T12:59:40.731Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to version 7.0"
                }
              ],
              "value": "Upgrade to version 7.0"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Impersonate vendor signed Powershell scripts",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Validate all powershell scripts by public hashes\u0026nbsp;"
                }
              ],
              "value": "Validate all powershell scripts by public hashes\u00a0"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2023-7169",
        "datePublished": "2024-02-08T12:59:40.731Z",
        "dateReserved": "2023-12-29T09:26:41.449Z",
        "dateUpdated": "2024-08-02T08:50:08.262Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3937 (GCVE-0-2023-3937)

    Vulnerability from cvelistv5 – Published: 2023-08-11 11:28 – Updated: 2024-10-03 20:27
    VLAI
    Title
    Cross site scripting vulnerabilities in Snow License Manager
    Summary
    Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software Snow License Manager Affected: 9.0.0 , ≤ 9.30.1 (0)
    Create a notification for this product.
    Date Public
    2023-08-11 01:00
    Credits
    Can Doğu & Himanshu Giri
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.686Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3937",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-03T20:27:08.462859Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-03T20:27:22.370Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "x86",
                "64 bit",
                "32 bit"
              ],
              "product": "Snow License Manager",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "9.30.1",
                  "status": "affected",
                  "version": "9.0.0",
                  "versionType": "0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Can Do\u011fu \u0026 Himanshu Giri"
            }
          ],
          "datePublic": "2023-08-11T01:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser"
                }
              ],
              "value": "Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-11T13:53:50.811Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to SLM version 9.30.2"
                }
              ],
              "value": "Upgrade to SLM version 9.30.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Cross site scripting vulnerabilities in Snow License Manager",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2023-3937",
        "datePublished": "2023-08-11T11:28:30.185Z",
        "dateReserved": "2023-07-25T13:29:16.203Z",
        "dateUpdated": "2024-10-03T20:27:22.370Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3864 (GCVE-0-2023-3864)

    Vulnerability from cvelistv5 – Published: 2023-08-11 11:24 – Updated: 2024-10-09 19:13
    VLAI
    Title
    SQL injection vulnerability in Snow License Manager
    Summary
    Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software SLM Affected: 8.0.0 , ≤ 9.30.1 (0)
    Create a notification for this product.
    snowsoftware snow_license_manager Affected: 8.0.0 , ≤ 9.30.1 (custom)
        cpe:2.3:a:snowsoftware:snow_license_manager:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-11 13:00
    Credits
    Can Doğu
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.529Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:snowsoftware:snow_license_manager:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "snow_license_manager",
                "vendor": "snowsoftware",
                "versions": [
                  {
                    "lessThanOrEqual": "9.30.1",
                    "status": "affected",
                    "version": "8.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T19:10:50.874637Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T19:13:07.827Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "x86",
                "64 bit",
                "32 bit"
              ],
              "product": "SLM",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThanOrEqual": "9.30.1",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Can Do\u011fu"
            }
          ],
          "datePublic": "2023-08-11T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal."
                }
              ],
              "value": "Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-11T11:24:05.823Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to version 9.30.2 or if running 9.27.0 apply the hotfix 9.27.1"
                }
              ],
              "value": "Upgrade to version 9.30.2 or if running 9.27.0 apply the hotfix 9.27.1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SQL injection vulnerability in Snow License Manager",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2023-3864",
        "datePublished": "2023-08-11T11:24:05.823Z",
        "dateReserved": "2023-07-24T13:51:33.771Z",
        "dateUpdated": "2024-10-09T19:13:07.827Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2679 (GCVE-0-2023-2679)

    Vulnerability from cvelistv5 – Published: 2023-05-17 12:55 – Updated: 2025-03-05 18:59
    VLAI
    Title
    Data leakage in Adobe connector for SPE edition of SLM
    Summary
    Data leakage in Adobe connector in Snow Software SPE 9.27.0 on Windows allows privileged user to observe other users data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Snow Software SPE SLM Affected: 9.27.0 , < 9.30.0 (0)
    Create a notification for this product.
    Date Public
    2023-05-17 12:52
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:33:03.986Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.snowsoftware.com/s/feed/0D56M00009Ex9dySAB"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2679",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-05T18:36:59.400645Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-05T18:59:17.458Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Adobe Connector"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "SPE SLM",
              "vendor": "Snow Software",
              "versions": [
                {
                  "lessThan": "9.30.0",
                  "status": "affected",
                  "version": "9.27.0",
                  "versionType": "0"
                }
              ]
            }
          ],
          "datePublic": "2023-05-17T12:52:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Data leakage in Adobe connector in Snow Software SPE 9.27.0 on Windows allows privileged user to observe other users data."
                }
              ],
              "value": "Data leakage in Adobe connector in Snow Software SPE 9.27.0 on Windows allows privileged user to observe other users data."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-17T12:56:03.381Z",
            "orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
            "shortName": "Snow"
          },
          "references": [
            {
              "url": "https://community.snowsoftware.com/s/feed/0D56M00009Ex9dySAB"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHotfix is ready for 9.27.0, 9.27.1, 9.28.0 and 9.29.0. Will be included from 9.30.0\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Hotfix is ready for 9.27.0, 9.27.1, 9.28.0 and 9.29.0. Will be included from 9.30.0\n"
            }
          ],
          "source": {
            "discovery": "USER"
          },
          "title": "Data leakage in Adobe connector for SPE edition of SLM",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65",
        "assignerShortName": "Snow",
        "cveId": "CVE-2023-2679",
        "datePublished": "2023-05-17T12:55:58.193Z",
        "dateReserved": "2023-05-12T09:08:48.538Z",
        "dateUpdated": "2025-03-05T18:59:17.458Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }