-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/snowflakedb/gosnowflake | go | >= 1.7.0, < 1.13.3 | 1.13.3 |
GoGoMiggo AIRoot Cause AnalysisThe vulnerability is a TOCTOU race condition when checking permissions of the Easy Logging configuration file. The analysis of the commit ba94a4800e23621eff558ef18ce4b96ec5489ff0 shows changes primarily in client_configuration.go related to how the configuration file is read and its permissions are validated.
The function parseClientConfiguration in client_configuration.go previously read the file using os.ReadFile and then separately called validateCfgPerm to check its permissions. This separation is the hallmark of the TOCTOU vulnerability. The patch changes this to call a new function getFileContents which is designed to handle file opening, permission/owner validation (on the file descriptor), and reading in a more secure sequence.
The function validateCfgPerm in client_configuration.go was responsible for the permission check. It was removed in the patch, indicating its role in the vulnerability. This function performed an os.Stat(filePath) and then checked permissions, which, when decoupled from the actual file read, is unsafe.
The new functions introduced, such as getFileContents and validateFilePermissionBits (in os_specific_posix.go), are part of the mitigation strategy, ensuring that checks are done on an opened file descriptor and before the file is read, and using flags like O_NOFOLLOW to prevent symlink attacks.
The functions parseClientConfiguration and validateCfgPerm are identified as vulnerable because they were directly involved in the flawed process of accessing and validating the logging configuration file as described in the vulnerability details.
KEV Misses 88% of Exploited CVEs- Get the report