CVE-2024-49750

MEDIUM

Snowflake Connector for Python <3.12.3 - Info Disclosure

Title source: llm

Description

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo passcodes (when specified via the `passcode` parameter) and Azure SAS tokens. Additionally, the SecretDetector logging formatter, if enabled, contained bugs which caused it to not fully redact JWT tokens and certain private key formats. Snowflake released version 3.12.3 of the Snowflake Connector for Python, which fixes the issue. In addition to upgrading, users should review their logs for any potentially sensitive information that may have been captured.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/snowflakedb/snowflake-connector-python/security/advisories/GHSA-5vvg-pvhp-hv2m

Patch x_refsource_misc

https://github.com/snowflakedb/snowflake-connector-python/commit/dbc9284a3c0382c131b971b35e8d6ab93c46f37a

View Patch ZIP pw:eip

Scores

CVSS v3 5.5

EPSS 0.0020

EPSS Percentile 10.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (2)

pypi/snowflake-connector-python 0 - 3.12.3PyPI

snowflake/snowflake_connector < 3.12.3

Published Oct 24, 2024

Tracked Since Feb 18, 2026