CVE-2024-49750: The Snowflake Connector for Python stores sensitive data in logs
(updated )
Issue
Snowflake recently learned about and remediated a set of vulnerabilities in the Snowflake Connector for Python. Under specific conditions, certain users credentials (or portions of those credentials) were logged locally by the Connector to the users own systems. The credentials were not logged by Snowflake.
These vulnerabilities affect versions up to and including 3.12.2. Snowflake fixed the issue in version 3.12.3.
References
- github.com/advisories/GHSA-5vvg-pvhp-hv2m
- github.com/pypa/advisory-database/tree/main/vulns/snowflake-connector-python/PYSEC-2024-191.yaml
- github.com/snowflakedb/snowflake-connector-python
- github.com/snowflakedb/snowflake-connector-python/commit/dbc9284a3c0382c131b971b35e8d6ab93c46f37a
- github.com/snowflakedb/snowflake-connector-python/security/advisories/GHSA-5vvg-pvhp-hv2m
- nvd.nist.gov/vuln/detail/CVE-2024-49750
Code Behaviors & Features
Detect and mitigate CVE-2024-49750 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →