Home > Vulnerability Database > CVE-2024-43382

Mend.io Vulnerability Database

CVE-2024-43382

Good to know:

Date: October 29, 2024

Snowflake recently identified an issue affecting JDBC drivers that can result in data being uploaded to an encrypted stage without the additional layer of protection provided by client side encryption. The issue, which affects only a subset of accounts hosted on Azure and GCP deployments (AWS deployments are not affected), manifests in instances where customers create a stage using a JDBC driver with the CLIENT_ENCRYPTION_KEY_SIZE account parameter set to 256-bit rather than the default 128-bit. The data is still protected by TLS in transit and server side encryption at rest. This missed layer of the additional protection is not visible to the affected customers.

Language: Java

Severity Score

5.9

Related Resources (4)

Url: https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-f686-hw9c-xw9c

Url: https://github.com/snowflakedb/snowflake-jdbc

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-43382

Url: https://www.mend.io/vulnerability-database/CVE-2024-43382

Severity Score

5.9

Weakness Type (CWE)

Inadequate Encryption Strength

CWE-326

Missing Encryption of Sensitive Data

CWE-311

Top Fix

Upgrade Version

Upgrade to version net.snowflake:snowflake-jdbc:3.20.0

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-43382

Good to know:

Date: October 29, 2024

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?