Snowflake Connector for C/C++ Local Logging of Encryption Keys Vulnerability

A vulnerability exists in the Snowflake Connector for C/C++ (libsnowflakeclient) in versions 0.5.0 prior to 2.2.0. When the logging level is set to DEBUG, the connector logs the client-side encryption master key for the target stage during GET and PUT operations. This key, labeled as 'queryStageMasterKey', does not provide access to sensitive data without additional authorizations and is not recorded on the Snowflake server. The vulnerability has been addressed in version 2.2.0.

Impact

The vulnerability allows for local logging of sensitive encryption keys, which could be exploited if the logged data is accessed by unauthorized individuals.

Reproduction

To reproduce this vulnerability, use a version of the Snowflake Connector for C/C++ that is between 0.5.0 and 2.1.0. Set the logging level to DEBUG and execute GET or PUT commands. The 'queryStageMasterKey' will be logged, exposing the client-side encryption master key.

Remediation

Upgrade to version 2.2.0 of the Snowflake Connector for C/C++. Instructions for updating can be found in the release notes on the project's GitHub repository.