A critical vulnerability in the Grafana Snowflake Datasource allows an authenticated user to perform unauthorized file system operations between the server and the database host.

The vulnerability exists due to improper validation of commands within the Snowflake datasource. Any authenticated user with access to the data source can execute GET/PUT commands to manipulate files on the underlying infrastructure.

The CVSS score of 9.6 reflects the severe potential for unauthorized data access and system modification. An attacker could leverage this vulnerability to gain sensitive configuration files, overwrite critical system binaries, or pivot further into the network, leading to a complete breach of the Grafana environment.

Immediate Action: Update the Grafana Snowflake Datasource plugin to the latest version released by the vendor to remediate the insecure command execution flaw.

Proactive Monitoring: Review Grafana access logs and audit trails to identify any suspicious or unauthorized usage of the Snowflake datasource by existing user accounts.

Compensating Controls: Restrict permissions for the Snowflake datasource to only necessary users and utilize network-level segmentation to limit the impact of a compromised Grafana server.

Public Exploit Available: Unknown

This vulnerability represents a significant risk to data integrity and system security. Organizations should immediately update the affected plugin and audit current user permissions to ensure that only authorized personnel have access to sensitive data sources.