GHSA-2mqw-rq5m-8hc8

Source

https://github.com/advisories/GHSA-2mqw-rq5m-8hc8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-2mqw-rq5m-8hc8/GHSA-2mqw-rq5m-8hc8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2mqw-rq5m-8hc8

Aliases

CVE-2025-24788

Published

2025-01-29T20:50:55Z

Modified

2025-01-29T22:27:20.920069Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Snowflake.Data has weak temporary files permissions

Details

Issue

Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET in which files downloaded from stages are temporarily placed in a world-readable local directory, making them accessible to unauthorized users on the same machine.

This vulnerability affects versions 2.0.12 through 4.2.0 on Linux and macOS. Snowflake fixed the issue in version 4.3.0.

Vulnerability Details

When downloading files from stages, the Snowflake Connector for .NET uses the OS temporary directory to save files before copying them to the destination directory. The files in the temporary directory, which are removed once the write to the destination directory concludes, have world-readable permissions on Linux and macOS. This could allow any user on the local machine to access them during their limited lifetime.

Solution

Snowflake released version 4.3.0 of the Snowflake Connector for .NET, which fixes this issue. We recommend users upgrade to version 4.3.0.

Additional Information

If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Database specific

{
    "nvd_published_at": "2025-01-29T21:15:21Z",
    "cwe_ids": [
        "CWE-276"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-29T20:50:55Z"
}

References

Affected packages

NuGet / Snowflake.Data

Package

Name: Snowflake.Data; View open source insights on deps.dev
Purl: pkg:nuget/Snowflake.Data

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.12

Fixed

4.3.0

Affected versions

2.*

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2.0

Database specific

{
    "last_known_affected_version_range": "<= 4.2.0"
}