#VU112020 Inclusion of Sensitive Information in Log Files in snowflake-jdbc - CVE-2025-27496
Published: June 27, 2025
Vulnerability identifier: #VU112020
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-27496
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
snowflake-jdbc
snowflake-jdbc
Software vendor:
Snowflake Computing (snowflakedb)
Snowflake Computing (snowflakedb)
Description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands when the logging level was set to DEBUG. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. A local user can read the log files and gain access to sensitive data.
Remediation
Install updates from vendor's website.