Snowflake NodeJS Driver vulnerable to Command Injection
CVE-2023-34232

8.8HIGH

Key Information:

Vendor

snowflakedb

Status
snowflake-connector-nodejs
Vendor
CVE Published:
8 June 2023

What is CVE-2023-34232?

The snowflake-connector-nodejs, an official NodeJS driver for Snowflake, is susceptible to command injection through single sign-on (SSO) browser URL authentication in versions prior to 1.6.21. An attacker can exploit this vulnerability by establishing a malicious resource and redirecting users to this harmful URL. By successfully tricking a user into accessing the compromised URL, the attacker's crafted payload can be executed on the user's local machine, potentially leading to unauthorized remote command execution. To mitigate this risk, it is recommended to implement URL whitelisting and employ anti-phishing measures. Upgrade to version 1.6.21 or later to secure against this vulnerability.

Affected Version(s)

snowflake-connector-nodejs < 1.6.21

References

https://github.com/snowflakedb/snowflake-connector-nodejs...
x_refsource_CONFIRM
https://github.com/snowflakedb/snowflake-connector-nodejs...
x_refsource_MISC
https://github.com/snowflakedb/snowflake-connector-nodejs...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.