net.snowflake:snowflake-jdbc@3.12.12 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the net.snowflake:snowflake-jdbc package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Missing Encryption of Sensitive Data

Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data due to a misbounded check in the createUploadStream() function for Azure and GCP systems. When the CLIENT_ENCRYPTION_KEY_SIZE of a stage using a JDBC driver is set to the non-default 256-bit size. An attacker can upload data which will be stored on the client side without encryption. It is still encrypted in transit and on the server.

Note: AWS deployments are not vulnerable.

How to fix Missing Encryption of Sensitive Data?

Upgrade net.snowflake:snowflake-jdbc to version 3.20.0 or higher.

[3.2.6,3.20.0)
  • H
Arbitrary Code Execution

Affected versions of this package are vulnerable to Arbitrary Code Execution via SSO URL authentication.

How to fix Arbitrary Code Execution?

Upgrade net.snowflake:snowflake-jdbc to version 3.13.29 or higher.

[,3.13.29)