Upstream information

CVE-2025-46327 at MITRE

Description

gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 1.13.3.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  CNA (GitHub) National Vulnerability Database SUSE
Base Score 3.3 7 6.3
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Local Local Local
Attack Complexity Low High High
Privileges Required Low Low Low
User Interaction None None None
Scope Unchanged Unchanged Unchanged
Confidentiality Impact Low High High
Integrity Impact None High High
Availability Impact None High None
CVSSv3 Version 3.1 3.1 3.1
SUSE Bugzilla entry: 1242017 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • alloy >= 1.9.1-1.1
  • govulncheck-vulndb >= 0.0.20250506T153719-1.1
Patchnames:
openSUSE-Tumbleweed-2025-15059
openSUSE-Tumbleweed-2025-15207


SUSE Timeline for this CVE

CVE page created: Tue Apr 29 02:00:18 2025
CVE page last modified: Fri Aug 1 14:37:20 2025