CVE-2024-49750

Name of the Vulnerable Software and Affected Versions: Snowflake Connector for Python versions prior to 3.12.3

Description: The issue concerns the logging of sensitive information by the Snowflake Connector for Python. When the logging level is set to DEBUG, the Connector may log Duo passcodes, specified via the passcode parameter, and Azure SAS tokens. Additionally, the SecretDetector logging formatter, if enabled, has bugs that cause it to not fully redact JWT tokens and certain private key formats. This could potentially expose sensitive information.

Recommendations: For versions prior to 3.12.3, upgrade to version 3.12.3 to fix the issue. Review logs for any potentially sensitive information that may have been captured. As a temporary workaround, consider setting the logging level to a value other than DEBUG until the upgrade is applied. Restrict access to logs to minimize the risk of sensitive information exposure.