Snowflake Connector for Node.js TOCTOU Race Condition Vulnerability in Logging Configuration

A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability has been identified in the Snowflake Connector for Node.js, specifically in versions 1.10.0 prior to 2.0.4. This vulnerability arises when the Easy Logging feature is used on Linux and macOS. The connector reads logging configuration from a user-specified file and checks that the file can only be written by its owner. However, this verification is flawed, allowing a local attacker with write access to the configuration file or its containing directory to manipulate the logging settings. The attacker could potentially change the logging level and output location, thereby gaining control over how logging is handled. The issue has been addressed in version 2.0.4 of the connector.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of the logging configuration, allowing an attacker to control the logging level and where logs are sent.

Reproduction

To reproduce this vulnerability, use a version of the Snowflake Connector for Node.js between 1.10.0 and 2.0.3. Enable the Easy Logging feature and provide a configuration file that can be written to by the user. The connector will fail to properly verify the file's ownership, allowing for unauthorized changes to the logging settings.

Remediation

Upgrade to version 2.0.4 of the Snowflake Connector for Node.js, which addresses this vulnerability.