#VU112020 Inclusion of Sensitive Information in Log Files in snowflake-jdbc - CVE-2025-27496

Cybersecurity Help s.r.o.

Published: 2025-06-27

Vulnerability identifier: #VU112020

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-27496

CWE-ID: CWE-532

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
snowflake-jdbc
Other software / Other software solutions

Vendor: Snowflake Computing (snowflakedb)

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands when the logging level was set to DEBUG. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. A local user can read the log files and gain access to sensitive data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

snowflake-jdbc: 3.13.0 - 3.23.0

External links
https://github.com/snowflakedb/snowflake-jdbc/commit/ef81582ce2f1dbc3c8794a696c94f4fe65fad507
https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-q298-375f-5q63

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Inclusion of Sensitive Information in Snowflake JDBC