CVE-2024-21539
TOCTOU Race Condition vulnerability in plugin-kit (npm)
What is CVE-2024-21539 About?
This vulnerability is a TOCTOU (Time-of-Check to Time-of-Use) race condition in the Snowflake Connector for .NET's Easy Logging feature on Linux and macOS. It allows local attackers to overwrite logging configuration and control log output location, making it moderately difficult to exploit as it requires local access and precise timing.
Affected Software
Technical Details
A TOCTOU race condition exists in the Snowflake Connector for .NET (versions 2.1.2 through 4.4.0) when utilizing the Easy Logging feature on Linux and macOS. The Connector attempts to verify the permissions of the logging configuration file to ensure it can only be written to by its owner. However, this check is vulnerable to a TOCTOU flaw because it incorrectly verifies file permissions and importantly, fails to verify that the file owner matches the user running the Connector. An attacker with local access and write permissions to the configuration file or its containing directory can exploit the time window between the Connector's permission check and the actual use of the file. During this window, the attacker can quickly swap or modify the logging configuration file. This allows the attacker to gain control over the logging level and, critically, the output location of logs, potentially diverting logs to a location they control or overwriting sensitive files with log data.
What is the Impact of CVE-2024-21539?
Successful exploitation may allow attackers with local access to overwrite logging configuration, gain control over logging level and output location, potentially leading to information disclosure, arbitrary file overwrite, or disruption of logging services.
What is the Exploitability of CVE-2024-21539?
Exploitation of this TOCTOU race condition requires local access to the system running the Snowflake Connector for .NET. The attacker needs write access to the logging configuration file or the directory containing it. The complexity is moderate, as it requires precise timing to execute the attack within the narrow window between the Connector's permission check and file use. This attack requires no specific authentication within the Connector itself, but it does require some level of local system access. The attack is local, not remote. Special conditions include the use of the Easy Logging feature on Linux or macOS. The risk factors are increased in multi-user environments or systems where untrusted processes might have sufficient file system privileges to interact with the Connector's configuration files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21539?
Available Upgrade Options
- @eslint/plugin-kit
- <0.2.3 → Upgrade to 0.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-21539
- https://security.snyk.io/vuln/SNYK-JS-ESLINTPLUGINKIT-8340627
- https://security.snyk.io/vuln/SNYK-JS-ESLINTPLUGINKIT-8340627
- https://osv.dev/vulnerability/GHSA-7q7g-4xm8-89cq
- https://github.com/eslint/rewrite/security/advisories/GHSA-7q7g-4xm8-89cq
- https://github.com/eslint/rewrite/commit/071be842f0bd58de4863cdf2ab86d60f49912abf
- https://github.com/eslint/rewrite
- https://github.com/eslint/rewrite/commit/071be842f0bd58de4863cdf2ab86d60f49912abf
What are Similar Vulnerabilities to CVE-2024-21539?
Similar Vulnerabilities: CVE-2022-26960 , CVE-2022-26961 , CVE-2023-27514 , CVE-2023-29446 , CVE-2022-21166
