CVE-2025-3717 identifies a concurrency-related vulnerability (CWE-653: Incorrect Locking) in the Grafana Snowflake Datasource Plugin, specifically affecting versions from 1.5.0 up to before 1.14.1. The issue arises when OAuth passthrough is enabled on a datasource shared by multiple users simultaneously within a single Grafana instance. Under these conditions, the plugin may incorrectly associate user identifiers, causing data queries to return information belonging to a different user than the one currently viewing the dashboard. This results in unauthorized data disclosure, violating confidentiality principles. The vulnerability does not affect data integrity or availability. The attack vector is network-based (remote), requiring low attack complexity but does require privileges (limited) and user interaction, such as accessing the shared datasource concurrently. The scope is limited to the affected plugin versions and configurations where OAuth passthrough is enabled and multiple users share the datasource. No public exploits have been reported, and no patches are linked in the provided data, though upgrading beyond version 1.14.1 is implied to resolve the issue. This vulnerability highlights the risks of session and identity management in multi-tenant or shared datasource environments within Grafana dashboards connected to Snowflake data sources.

For European organizations, the primary impact is unauthorized disclosure of sensitive data from Snowflake databases accessed via Grafana dashboards. This could lead to breaches of personal data or confidential business information, potentially violating GDPR and other data protection regulations. The risk is particularly relevant for organizations using Grafana as a centralized monitoring or analytics platform with OAuth passthrough enabled and multiple users accessing the same datasource concurrently. Although the CVSS score is low, the exposure of unauthorized data could have reputational and compliance consequences. The vulnerability does not allow data modification or service disruption, limiting its impact to confidentiality. Organizations in sectors such as finance, healthcare, and government, where Snowflake is used for sensitive data analytics, are at higher risk. The lack of known exploits reduces immediate threat but does not eliminate risk, especially in environments with high user concurrency and shared datasources.

European organizations should immediately audit their Grafana Snowflake Datasource Plugin versions and configurations. Specifically, they should: 1) Upgrade the plugin to version 1.14.1 or later where the vulnerability is fixed. 2) Temporarily disable OAuth passthrough on shared datasources if upgrading is not immediately possible. 3) Limit concurrent access to datasources by multiple users or segregate datasources per user to avoid session confusion. 4) Implement strict access controls and monitoring on Grafana instances to detect anomalous data access patterns. 5) Review and tighten OAuth token handling and session management configurations. 6) Conduct internal penetration testing focusing on multi-user datasource scenarios to verify no unauthorized data leakage occurs. 7) Educate users about the risks of shared datasource usage with OAuth passthrough enabled. These steps go beyond generic advice by focusing on configuration changes and operational controls specific to this vulnerability scenario.