Logging Vulnerability in Snowflake JDBC Driver Affects Client-Side Encryption Keys
CVE-2025-27496

3.3LOW

Key Information:

Vendor: Snowflakedb
Status: Snowflake-jdbc
Vendor: CVE Published:; 13 March 2025

🔔 Create Snowflakedb Vulnerability Alert

What is CVE-2025-27496?

The Snowflake JDBC Driver contains a logging vulnerability that affects specific versions. When the logging level is set to DEBUG, the driver can inadvertently log the client-side encryption master key during the execution of GET and PUT commands. While this key itself doesn't directly allow access to sensitive data without additional permissions, its exposure poses potential security risks. This issue has been addressed in version 3.23.1 of the JDBC Driver.

Affected Version(s)

snowflake-jdbc >= 3.0.13, < 3.23.1

References

https://github.com/snowflakedb/snowflake-jdbc/security/ad...

x_refsource_CONFIRM

https://github.com/snowflakedb/snowflake-jdbc/commit/ef81...

x_refsource_MISC

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2025
Vulnerability Reserved
Feb 26, 2025