Skip to content
This repository was archived by the owner on Nov 12, 2025. It is now read-only.

github.com/SnowflakeDB/gosnowflake-v1.6.19: 3 vulnerabilities (highest severity is: 5.5) #10

Open
Open
github.com/SnowflakeDB/gosnowflake-v1.6.19: 3 vulnerabilities (highest severity is: 5.5)#10
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@ibm-mend-app

Description

@ibm-mend-app
ibm-mend-app
bot
opened on Feb 10, 2025
Vulnerable Library - github.com/SnowflakeDB/gosnowflake-v1.6.19

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.30.0.mod

Found in HEAD commit: a38d6324242b44e86f4799b7caed176ba9620b92

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/SnowflakeDB/gosnowflake-v1.6.19 version) Remediation Possible**
CVE-2025-22870 Medium 5.5 golang.org/x/net-v0.30.0 Transitive N/A*
CVE-2024-45338 Medium 5.3 golang.org/x/net-v0.30.0 Transitive N/A*
CVE-2024-51744 Low 3.1 github.com/form3tech-oss/jwt-go-v3.2.5+incompatible Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-22870

Vulnerable Library - golang.org/x/net-v0.30.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.30.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.30.0.mod

Dependency Hierarchy:

  • github.com/SnowflakeDB/gosnowflake-v1.6.19 (Root Library)
    • github.com/gabriel-vasile/mimeType-v1.4.1
      • golang.org/x/net-v0.30.0 (Vulnerable Library)

Found in HEAD commit: a38d6324242b44e86f4799b7caed176ba9620b92

Found in base branch: master

Vulnerability Details

In Go net/http, x/net/proxy, x/net/http/httpproxy there is a proxy bypass vulnerability using IPv6 zone IDs. Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable was
set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly
match and not be proxied. This affects versions before 1.23.7 and 1.24.x before 1.24.1.

Publish Date: 2025-03-08

URL: CVE-2025-22870

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: golang/go@334de79

Release Date: 2025-03-08

Fix Resolution: go1.24.1

CVE-2024-45338

Vulnerable Library - golang.org/x/net-v0.30.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.30.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.30.0.mod

Dependency Hierarchy:

  • github.com/SnowflakeDB/gosnowflake-v1.6.19 (Root Library)
    • github.com/gabriel-vasile/mimeType-v1.4.1
      • golang.org/x/net-v0.30.0 (Vulnerable Library)

Found in HEAD commit: a38d6324242b44e86f4799b7caed176ba9620b92

Found in base branch: master

Vulnerability Details

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Publish Date: 2024-12-18

URL: CVE-2024-45338

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: golang/go#70906

Release Date: 2024-12-18

Fix Resolution: github.com/golang/net-v0.33.0

CVE-2024-51744

Vulnerable Library - github.com/form3tech-oss/jwt-go-v3.2.5+incompatible

Library home page: https://proxy.golang.org/github.com/form3tech-oss/jwt-go/@v/v3.2.5+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/github.com/form3tech-oss/jwt-go/@v/v3.2.5+incompatible.mod

Dependency Hierarchy:

  • github.com/SnowflakeDB/gosnowflake-v1.6.19 (Root Library)
    • github.com/form3tech-oss/jwt-go-v3.2.5+incompatible (Vulnerable Library)

Found in HEAD commit: a38d6324242b44e86f4799b7caed176ba9620b92

Found in base branch: master

Vulnerability Details

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the v5 branch to the v4 branch. In this logic, the ParseWithClaims function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.

Publish Date: 2024-11-04

URL: CVE-2024-51744

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-29wx-vh33-7x7r

Release Date: 2024-11-04

Fix Resolution: github.com/golang-jwt/jwt-v4.5.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions