ghsa-f686-hw9c-xw9c
Vulnerability from github
6.5 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Impacted Products
Snowflake JDBC driver versions >= 3.2.6 & <= 3.19.1 are affected.
Introduction
Snowflake recently identified an issue affecting JDBC drivers that can result in data being uploaded to an encrypted stage without the additional layer of protection provided by client side encryption. The issue, which affects only a subset of accounts hosted on Azure and GCP deployments (AWS deployments are not affected), manifests in instances where customers create a stage using a JDBC driver with the CLIENT_ENCRYPTION_KEY_SIZE account parameter set to 256-bit rather than the default 128-bit. The data is still protected by TLS in transit and server side encryption at rest. This missed layer of the additional protection is not visible to the affected customers.
Incorrect Security Setting Vulnerability
Description
Snowflake identified an incorrect security setting in Snowflake JDBC drivers. Snowflake has evaluated the severity of the issue and determined it was in medium range with a maximum CVSSv3 base score of 5.9.
Scenarios and attack vector(s)
Users of Snowflake JDBC drivers with accounts on Azure and GCP deployments who set the parameter CLIENT_ENCRYPTION_KEY_SIZE = 256 were subject to this incorrect security setting vulnerability as it could result in data being uploaded to a stage without an additional layer for encryption.
Our response
On July 23, 2024, Snowflake discovered this vulnerability. On 10/28/2024, Snowflake released a patch in Snowflake JDBC driver Version 3.20.0. The patch fixes the incorrect security setting.
Resolution
We strongly recommend users to upgrade to 3.20.0 or later versions as soon as possible.
Contact
If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.19.1"
},
"package": {
"ecosystem": "Maven",
"name": "net.snowflake:snowflake-jdbc"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.6"
},
{
"fixed": "3.20.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43382"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-30T14:37:53Z",
"nvd_published_at": "2024-10-30T21:15:14Z",
"severity": "MODERATE"
},
"details": "### Impacted Products\nSnowflake JDBC driver versions \u003e= 3.2.6 \u0026 \u003c= 3.19.1 are affected.\n\n### Introduction\nSnowflake recently identified an issue affecting JDBC drivers that can result in data being uploaded to an encrypted stage without the additional layer of protection provided by client side encryption. The issue, which affects only a subset of accounts hosted on Azure and GCP deployments (AWS deployments are not affected), manifests in instances where customers create a stage using a JDBC driver with the CLIENT_ENCRYPTION_KEY_SIZE account parameter set to 256-bit rather than the default 128-bit. The data is still protected by TLS in transit and server side encryption at rest. This missed layer of the additional protection is not visible to the affected customers.\n\n### Incorrect Security Setting Vulnerability \n#### Description\nSnowflake identified an incorrect security setting in Snowflake JDBC drivers. Snowflake has evaluated the severity of the issue and determined it was in medium range with a maximum CVSSv3 base score of 5.9. \n#### Scenarios and attack vector(s)\nUsers of Snowflake JDBC drivers with accounts on Azure and GCP deployments who set the parameter CLIENT_ENCRYPTION_KEY_SIZE = 256 were subject to this incorrect security setting vulnerability as it could result in data being uploaded to a stage without an additional layer for encryption. \n#### Our response\nOn July 23, 2024, Snowflake discovered this vulnerability. On 10/28/2024, Snowflake released a patch in Snowflake JDBC driver Version 3.20.0. The patch fixes the incorrect security setting. \n#### Resolution\nWe strongly recommend users to upgrade to 3.20.0 or later versions as soon as possible. \n\n### Contact\nIf you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).\n",
"id": "GHSA-f686-hw9c-xw9c",
"modified": "2024-10-31T19:36:18Z",
"published": "2024-10-30T14:37:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-f686-hw9c-xw9c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43382"
},
{
"type": "PACKAGE",
"url": "https://github.com/snowflakedb/snowflake-jdbc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Snowflake JDBC Security Advisory"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.