Snowflake Golang Driver vulnerable to Command Injection
CVE-2023-34231

8.8HIGH

Key Information:

Vendor

snowflakedb

Status
gosnowflake
Vendor
CVE Published:
8 June 2023

What is CVE-2023-34231?

The Snowflake Golang driver prior to version 1.6.19 contains a command injection vulnerability that stems from its single sign-on (SSO) browser URL authentication process. This vulnerability allows an attacker to establish a malicious resource and redirect users to it, potentially enabling them to execute harmful commands on a user's local machine. By setting up a publicly accessible server that returns an attack payload in response to the SSO URL, an attacker can trick users into visiting this compromised link. This results in remote code execution due to the user's system rendering the malicious payload. Implementing URL whitelisting and employing anti-phishing measures can significantly mitigate this risk. Users are encouraged to upgrade to version 1.6.19 or later to protect against this vulnerability.

Affected Version(s)

gosnowflake < 1.6.19

References

https://github.com/snowflakedb/gosnowflake/security/advis...
x_refsource_CONFIRM
https://github.com/snowflakedb/gosnowflake/pull/757
x_refsource_MISC
https://github.com/snowflakedb/gosnowflake/commit/e11a2a5...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.