All the vulnerabilites related to snowflakedb - snowflake-connector-nodejs
cve-2023-34232
Vulnerability from cvelistv5
Published
2023-06-08 20:17
Modified
2025-01-06 20:19
Severity ?
EPSS score ?
Summary
Snowflake NodeJS Driver vulnerable to Command Injection
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| snowflakedb | snowflake-connector-nodejs |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:54.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-h53w-7qw7-vh5c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-h53w-7qw7-vh5c"
},
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/pull/465",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/pull/465"
},
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/0c9622ae12cd7d627df404b73a783b4a5f60728a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/0c9622ae12cd7d627df404b73a783b4a5f60728a"
},
{
"name": "https://community.snowflake.com/s/article/Node-js-Driver-Release-Notes",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.snowflake.com/s/article/Node-js-Driver-Release-Notes"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34232",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T20:19:44.262066Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T20:19:54.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snowflake-connector-nodejs",
"vendor": "snowflakedb",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snowflake-connector-nodejs, a NodeJS driver for Snowflake, is vulnerable to command injection via single sign on (SSO) browser URL authentication in versions prior to 1.6.21. In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user\u2019s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. Version 1.6.21 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-08T20:17:49.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-h53w-7qw7-vh5c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-h53w-7qw7-vh5c"
},
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/pull/465",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/pull/465"
},
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/0c9622ae12cd7d627df404b73a783b4a5f60728a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/0c9622ae12cd7d627df404b73a783b4a5f60728a"
},
{
"name": "https://community.snowflake.com/s/article/Node-js-Driver-Release-Notes",
"tags": [
"x_refsource_MISC"
],
"url": "https://community.snowflake.com/s/article/Node-js-Driver-Release-Notes"
}
],
"source": {
"advisory": "GHSA-h53w-7qw7-vh5c",
"discovery": "UNKNOWN"
},
"title": "Snowflake NodeJS Driver vulnerable to Command Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34232",
"datePublished": "2023-06-08T20:17:49.734Z",
"dateReserved": "2023-05-31T13:51:51.168Z",
"dateUpdated": "2025-01-06T20:19:54.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-24791
Vulnerability from cvelistv5
Published
2025-01-29 16:59
Modified
2025-01-29 17:08
Severity ?
EPSS score ?
Summary
snowflake-connector-nodejs has incorrect validation of temporary credential cache file permissions
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| snowflakedb | snowflake-connector-nodejs |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T17:08:41.667104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T17:08:51.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snowflake-connector-nodejs",
"vendor": "snowflakedb",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.12.0, \u003c 2.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snowflake-connector-nodejs is a NodeJS driver for Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux. Snowflake fixed the issue in version 2.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T16:59:24.627Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-xfhv-wqj6-rx99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-xfhv-wqj6-rx99"
},
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/89731b3a4d61a75b721d13d4e47a7a3712ffa45f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/89731b3a4d61a75b721d13d4e47a7a3712ffa45f"
}
],
"source": {
"advisory": "GHSA-xfhv-wqj6-rx99",
"discovery": "UNKNOWN"
},
"title": "snowflake-connector-nodejs has incorrect validation of temporary credential cache file permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24791",
"datePublished": "2025-01-29T16:59:24.627Z",
"dateReserved": "2025-01-23T17:11:35.837Z",
"dateUpdated": "2025-01-29T17:08:51.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-46328
Vulnerability from cvelistv5
Published
2025-04-28 22:33
Modified
2025-04-29 13:41
Severity ?
EPSS score ?
Summary
NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| snowflakedb | snowflake-connector-nodejs |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T13:41:05.111533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T13:41:29.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snowflake-connector-nodejs",
"vendor": "snowflakedb",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 2.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snowflake-connector-nodejs is a NodeJS driver for Snowflake. Versions starting from 1.10.0 to before 2.0.4, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 2.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T22:33:09.632Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-wmjq-jrm2-9wfr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-wmjq-jrm2-9wfr"
},
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/e94c24112271e1f44c271634bf29a3188acc68d0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/e94c24112271e1f44c271634bf29a3188acc68d0"
}
],
"source": {
"advisory": "GHSA-wmjq-jrm2-9wfr",
"discovery": "UNKNOWN"
},
"title": "NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46328",
"datePublished": "2025-04-28T22:33:09.632Z",
"dateReserved": "2025-04-22T22:41:54.911Z",
"dateUpdated": "2025-04-29T13:41:29.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}