GHSA-q298-375f-5q63

Suggest an improvement
Source
https://github.com/advisories/GHSA-q298-375f-5q63
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-q298-375f-5q63/GHSA-q298-375f-5q63.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q298-375f-5q63
Aliases
Published
2025-03-13T18:57:46Z
Modified
2025-03-13T21:47:33.651339Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Snowflake JDBC Driver client-side encryption key in DEBUG logs
Details

Issue

Snowflake discovered and remediated a vulnerability in the Snowflake JDBC driver (“Driver”). When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake.

This vulnerability affects Driver versions 3.0.13 through 3.23.0. Snowflake fixed the issue in version 3.23.1.

Vulnerability Details

When the logging level was set to DEBUG, the Driver would locally log the client-side encryption master key of the target stage during the execution of GET/PUT commands. The key was logged in a JSON object under the queryStageMasterKey key. The key by itself does not grant access to any sensitive data.

Solution

Snowflake released version 3.23.1 of the Snowflake JDBC driver, which fixes this issue. We highly recommend users upgrade to version 3.23.1.

Additional Information

If you discover a security vulnerability in one of our products or websites, please report the issue to Snowflake through our Vulnerability Disclosure Program hosted at HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Database specific 
{
    "nvd_published_at": "2025-03-13T19:15:52Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-13T18:57:46Z"
}
References

Affected packages

Maven / net.snowflake:snowflake-jdbc

Package

Name
net.snowflake:snowflake-jdbc
View open source insights on deps.dev
Purl
pkg:maven/net.snowflake/snowflake-jdbc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.13
Fixed
3.23.1

Affected versions

3.*

3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.0.21
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
3.6.9
3.6.10
3.6.11
3.6.12
3.6.13
3.6.14
3.6.15
3.6.16
3.6.17
3.6.18
3.6.19
3.6.20
3.6.21
3.6.22
3.6.23
3.6.24
3.6.25
3.6.26
3.6.27
3.6.28
3.7.0
3.7.1
3.7.2
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.8.8
3.9.0
3.9.1
3.9.2
3.10.0
3.10.1
3.10.2
3.10.3
3.11.0
3.11.1
3.12.0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.12.7
3.12.8
3.12.9
3.12.10
3.12.11
3.12.12
3.12.13
3.12.14
3.12.15
3.12.16
3.12.17
3.13.0
3.13.1
3.13.2
3.13.3
3.13.4
3.13.5
3.13.6
3.13.7
3.13.8
3.13.9
3.13.10
3.13.11
3.13.12
3.13.13
3.13.14
3.13.15
3.13.16
3.13.17
3.13.18
3.13.19
3.13.20
3.13.21
3.13.22
3.13.23
3.13.24
3.13.25
3.13.26
3.13.27
3.13.28
3.13.29
3.13.30
3.13.31
3.13.32
3.13.33
3.13.34
3.14.0
3.14.1
3.14.2
3.14.3
3.14.4
3.14.5
3.15.0
3.15.1
3.16.0
3.16.1
3.17.0
3.18.0
3.19.0
3.19.1
3.20.0
3.21.0
3.22.0
3.23.0

Database specific 

{
    "last_known_affected_version_range": "<= 3.23.0"
}