Skip to content

fix(deps): Update module github.com/snowflakedb/gosnowflake to v1.13.3 [SECURITY]#20661

Merged
kodiakhq[bot] merged 1 commit intomainfrom
renovate/go-github.com-snowflakedb-gosnowflake-vulnerability
Apr 28, 2025
Merged

fix(deps): Update module github.com/snowflakedb/gosnowflake to v1.13.3 [SECURITY]#20661
kodiakhq[bot] merged 1 commit intomainfrom
renovate/go-github.com-snowflakedb-gosnowflake-vulnerability

Conversation

@cq-bot
Copy link
Copy Markdown
Contributor

@cq-bot cq-bot commented Apr 28, 2025

This PR contains the following updates:

Package Type Update Change
github.com/snowflakedb/gosnowflake require minor v1.12.1 -> v1.13.3

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-46327

Issue

Snowflake discovered and remediated a vulnerability in the Go Snowflake Driver (“Driver”). When using the Easy Logging feature on Linux and macOS, the Driver didn’t correctly verify the permissions of the logging configuration file, potentially allowing an attacker with local access to overwrite the configuration and gain control over logging level and output location.

This vulnerability affects Driver versions from 1.7.0 up to, but not including, 1.13.3. Snowflake fixed the issue in version 1.13.3.

Vulnerability Details

When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location.

Solution

Snowflake released version 1.13.3 of the Go Snowflake Driver, which fixes this issue. We recommend users upgrade to version 1.13.3.

Additional Information

If you discover a security vulnerability in one of our products or websites, please report the issue to Snowflake through our Vulnerability Disclosure Program hosted at HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Release Notes

snowflakedb/gosnowflake (github.com/snowflakedb/gosnowflake)

v1.13.3: Release

Compare Source

v1.13.2: Release

Compare Source

v1.13.1: Release

Compare Source

v1.13.0: Release

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cq-bot cq-bot added automerge Automatically merge once required checks pass security labels Apr 28, 2025
@cq-bot
Copy link
Copy Markdown
Contributor Author

cq-bot commented Apr 28, 2025

ℹ Artifact update notice

File name: plugins/destination/snowflake/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated

Details:

Package Change
github.com/danieljoos/wincred v1.2.1 -> v1.2.2
github.com/gabriel-vasile/mimetype v1.4.3 -> v1.4.7

@cq-bot
Copy link
Copy Markdown
Contributor Author

cq-bot commented Apr 28, 2025

/gen sha=ac7837f3dcf7d2bf293ccd6124a1c2ff71d18d0c dir=plugins/destination/snowflake

@kodiakhq kodiakhq bot merged commit dbaa2ea into main Apr 28, 2025
16 checks passed
@kodiakhq kodiakhq bot deleted the renovate/go-github.com-snowflakedb-gosnowflake-vulnerability branch April 28, 2025 22:18
@cq-bot cq-bot mentioned this pull request Apr 28, 2025
Merged
kodiakhq bot pushed a commit that referenced this pull request Apr 29, 2025
@cq-bot
chore(main): Release plugins-destination-snowflake v4.4.15 (#20652)
6ec9a54 
🤖 I have created a release *beep* *boop*
---


## [4.4.15](plugins-destination-snowflake-v4.4.14...plugins-destination-snowflake-v4.4.15) (2025-04-29)


### Bug Fixes

* **deps:** Update module github.com/cloudquery/plugin-sdk/v4 to v4.79.0 ([#20636](#20636)) ([1ee4f97](1ee4f97))
* **deps:** Update module github.com/snowflakedb/gosnowflake to v1.13.3 [SECURITY] ([#20661](#20661)) ([dbaa2ea](dbaa2ea))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

area/plugin/destination/snowflake automerge Automatically merge once required checks pass security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cq-bot