x/vulndb: potential Go vuln in github.com/snowflakedb/gosnowflake: CVE-2023-34231

[GoVulnBot]

CVE-2023-34231 references github.com/snowflakedb/gosnowflake, which may be a Go module.

Description:
gosnowflake is th Snowflake Golang driver. Prior to version 1.6.19, a command injection vulnerability exists in the Snowflake Golang driver via single sign-on (SSO) browser URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. A patch is available in version 1.6.19.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34231
• JSON: https://github.com/CVEProject/cvelist/tree/cf2879fe74508eb92f42da2d54ed19d7abb59243/2023/34xxx/CVE-2023-34231.json
• advisory: GHSA-fwv2-65wh-2w8c
• fix: SNOW-761744 Added URL Validator and URL Encoder snowflakedb/gosnowflake#757
• fix: snowflakedb/gosnowflake@e11a2a5
• Imported by: https://pkg.go.dev/github.com/snowflakedb/gosnowflake?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/snowflakedb/gosnowflake
      packages:
        - package: gosnowflake
description: |
    gosnowflake is th Snowflake Golang driver. Prior to version 1.6.19, a command injection vulnerability exists in the Snowflake Golang driver via single sign-on (SSO) browser URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. A patch is available in version 1.6.19.
cves:
    - CVE-2023-34231
references:
    - advisory: https://github.com/snowflakedb/gosnowflake/security/advisories/GHSA-fwv2-65wh-2w8c
    - fix: https://github.com/snowflakedb/gosnowflake/pull/757
    - fix: https://github.com/snowflakedb/gosnowflake/commit/e11a2a555f1b9f7adc1f01fb7b5e7f38fbbb2a1c

[neild]

I'm not clear on what the exact vulnerability here is supposed to be. The described scenario involves a user being directed to a malicious URL, at which time "the user’s local machine would render the malicious payload, leading to a remote code execution". I don't see how visiting a URL leads to code execution, unless the Snowflake driver itself is loading a page and executing code on it, which doesn't seem to be the case so far as I can tell.

If there is a vulnerability, it does not appear to be fixed in version 1.6.19, because none of the changes in that version seem like they would address this.

The linked fix (snowflakedb/gosnowflake#757) definitely does not fix any vulnerabilities, since it merely adds two functions which are not called anywhere outside of tests.

So either this isn't a vulnerability at all, or it's a vulnerability that I don't understand and there is no fix. Given that the referenced "fix" is plainly not fixing anything, I'm going to mark as not a vulnerability.

[gopherbot]

Change https://go.dev/cl/503837 mentions this issue: data/excluded: batch add 21 excluded reports