CVE-2023-34231

Name of the Vulnerable Software and Affected Versions gosnowflake versions prior to 1.6.19

Description A command injection vulnerability exists in the Snowflake Golang driver via single sign-on (SSO) browser URL authentication. To exploit this issue, an attacker would need to establish a malicious resource and redirect users to utilize it. The attacker could set up a malicious server that responds to the SSO URL with an attack payload. If the attacker tricks a user into visiting the maliciously crafted connection URL, the user's local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting and common anti-phishing resources.

Recommendations For gosnowflake versions prior to 1.6.19, upgrade to version 1.6.19 as soon as possible to fix the command injection vulnerability. As a temporary workaround, consider implementing URL whitelisting and using common anti-phishing resources to minimize the risk of exploitation. Restrict access to the SSO URL authentication feature until the upgrade is applied.