CVE-2024-43382

Name of the Vulnerable Software and Affected Versions Snowflake JDBC driver versions >= 3.2.6 and <= 3.19.1

Description The issue affects Snowflake JDBC drivers, resulting in data being uploaded to an encrypted stage without the additional layer of protection provided by client-side encryption. This occurs when the CLIENT ENCRYPTION KEY SIZE account parameter is set to 256-bit rather than the default 128-bit, affecting only a subset of accounts hosted on Azure and GCP deployments. The data is still protected by TLS in transit and server-side encryption at rest. The missed layer of additional protection is not visible to the affected customers.

Recommendations For Snowflake JDBC driver versions >= 3.2.6 and <= 3.19.1, upgrade to version 3.20.0 or later as soon as possible to fix the incorrect security setting. As a temporary workaround, consider avoiding the use of the CLIENT ENCRYPTION KEY SIZE parameter set to 256-bit until the issue is resolved. Restrict access to stages created with the vulnerable JDBC driver versions to minimize the risk of exploitation.