Inclusion of Sensitive Information in Log Files in snowflake-jdbc - CVE-2025-27496
Published: June 27, 2025
Vulnerability identifier: #VU112020
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-27496
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Snowflake Computing (snowflakedb)
Affected software:
snowflake-jdbc
snowflake-jdbc
Detailed vulnerability description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands when the logging level was set to DEBUG. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. A local user can read the log files and gain access to sensitive data.
How to mitigate CVE-2025-27496
Install updates from vendor's website.