{"url":"http://public2.vulnerablecode.io/api/packages/381794?format=json","purl":"pkg:golang/github.com/snowflakedb/gosnowflake@1.6.19","type":"golang","namespace":"github.com/snowflakedb","name":"gosnowflake","version":"1.6.19","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.6.19","latest_non_vulnerable_version":"1.13.3","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/142307?format=json","vulnerability_id":"VCID-q6vf-zjr2-aqh7","summary":"gosnowflake is th Snowflake Golang driver. Prior to version 1.6.19, a command injection vulnerability exists in the Snowflake Golang driver via single sign-on (SSO) browser URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. A patch is available in version 1.6.19.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34231","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51172","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34231"},{"reference_url":"https://github.com/snowflakedb/gosnowflake","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/snowflakedb/gosnowflake"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34231","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34231"},{"reference_url":"https://github.com/snowflakedb/gosnowflake/pull/757","reference_id":"757","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:45:02Z/"}],"url":"https://github.com/snowflakedb/gosnowflake/pull/757"},{"reference_url":"https://github.com/snowflakedb/gosnowflake/commit/e11a2a555f1b9f7adc1f01fb7b5e7f38fbbb2a1c","reference_id":"e11a2a555f1b9f7adc1f01fb7b5e7f38fbbb2a1c","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:45:02Z/"}],"url":"https://github.com/snowflakedb/gosnowflake/commit/e11a2a555f1b9f7adc1f01fb7b5e7f38fbbb2a1c"},{"reference_url":"https://github.com/snowflakedb/gosnowflake/security/advisories/GHSA-fwv2-65wh-2w8c","reference_id":"GHSA-fwv2-65wh-2w8c","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:45:02Z/"}],"url":"https://github.com/snowflakedb/gosnowflake/security/advisories/GHSA-fwv2-65wh-2w8c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381794?format=json","purl":"pkg:golang/github.com/snowflakedb/gosnowflake@1.6.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/snowflakedb/gosnowflake@1.6.19"}],"aliases":["CVE-2023-34231","GHSA-fwv2-65wh-2w8c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q6vf-zjr2-aqh7"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/snowflakedb/gosnowflake@1.6.19"}