[Snyk: High] net.snowflake:snowflake-jdbc Missing Encryption of Sensitive Data (Due: 12/06/24)

[cnlucas]

Introduced through
org.flywaydb:[email protected]
Fixed in
net.snowflake:[email protected]

Exploit maturity
No known exploit

Detailed paths

Introduced through: unknown:[email protected] › org.flywaydb:[email protected] › net.snowflake:[email protected]

Security information
Factors contributing to the scoring:

Snyk: [CVSS v4.0 7.4](https://security.snyk.io/vuln/SNYK-JAVA-NETSNOWFLAKE-8310506) - High Severity | [CVSS v3.1 5.9](https://security.snyk.io/vuln/SNYK-JAVA-NETSNOWFLAKE-8310506) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data due to a misbounded check in the createUploadStream() function for Azure and GCP systems. When the CLIENT_ENCRYPTION_KEY_SIZE of a stage using a JDBC driver is set to the non-default 256-bit size. An attacker can upload data which will be stored on the client side without encryption. It is still encrypted in transit and on the server.

Note: AWS deployments are not vulnerable.