CVE-2024-49750 Overview
CVE-2024-49750 is a sensitive data exposure vulnerability in the Snowflake Connector for Python, which provides an interface for developing Python applications that connect to Snowflake cloud data platform. When the logging level was configured to DEBUG by the user, the connector would inadvertently log sensitive authentication credentials including Duo passcodes (when specified via the passcode parameter) and Azure SAS tokens. Additionally, the SecretDetector logging formatter, designed to redact sensitive information, contained bugs that prevented it from fully redacting JWT tokens and certain private key formats.
Critical Impact
Sensitive authentication credentials including Duo MFA passcodes, Azure SAS tokens, JWT tokens, and private keys may be exposed in application logs when DEBUG logging is enabled, potentially leading to credential theft and unauthorized access to Snowflake data warehouses.
Affected Products
- Snowflake Connector for Python versions prior to 3.12.3
- Applications using DEBUG logging level with the Snowflake Connector
- Environments utilizing SecretDetector logging formatter
Discovery Timeline
- October 24, 2024 - CVE-2024-49750 published to NVD
- November 6, 2024 - Last updated in NVD database
Technical Details for CVE-2024-49750
Vulnerability Analysis
This vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File), a common weakness where applications write sensitive data to log files that may be accessible to unauthorized parties. The Snowflake Connector for Python failed to properly sanitize sensitive authentication data before writing to log files when DEBUG logging was enabled.
The issue manifests in two distinct ways: first, when users explicitly enable DEBUG-level logging, the connector logs Duo passcodes passed via the passcode parameter and Azure SAS tokens in plaintext. Second, the SecretDetector logging formatter—a security feature specifically designed to prevent such exposures—contained implementation bugs that caused incomplete redaction of JWT tokens and certain private key formats.
The local attack vector requires an attacker to have access to the log files where DEBUG output is written. This could occur through misconfigured file permissions, shared logging infrastructure, log aggregation services, or insider access to development and production systems.
Root Cause
The root cause of this vulnerability stems from insufficient input sanitization in the logging subsystem of the Snowflake Connector for Python. The DEBUG logging handlers were not designed to filter sensitive authentication parameters before output. Additionally, the SecretDetector formatter contained regex or pattern-matching bugs that failed to identify and redact all variations of JWT token formats and private key encodings, defeating its intended security purpose.
Attack Vector
An attacker with local access to systems running applications using the Snowflake Connector for Python could exploit this vulnerability by:
- Gaining access to application log files through misconfigured permissions, shared filesystems, or log aggregation platforms
- Searching log files for exposed Duo passcodes, Azure SAS tokens, JWT tokens, or private key material
- Using harvested credentials to authenticate to Snowflake data warehouses or associated Azure services
- Pivoting to access sensitive data stored in Snowflake or perform unauthorized operations
The vulnerability requires DEBUG logging to be enabled, which is commonly done during development, troubleshooting, or in environments with verbose logging configurations. Organizations that ship logs to centralized logging platforms (SIEM, ELK stack, cloud logging services) may have inadvertently stored sensitive credentials in these systems.
Detection Methods for CVE-2024-49750
Indicators of Compromise
- Log files containing plaintext Duo passcodes or Azure SAS tokens
- JWT tokens appearing in DEBUG-level log entries without proper redaction
- Private key material present in application logs
- Unexpected authentication attempts to Snowflake using previously logged credentials
- Anomalous data access patterns following log exposure incidents
Detection Strategies
- Audit application configurations to identify instances where DEBUG logging is enabled for the Snowflake Connector
- Scan historical log files for patterns matching Duo passcodes, Azure SAS tokens, and JWT formats
- Review log aggregation platforms for exposed sensitive authentication data
- Monitor Snowflake audit logs for suspicious authentication or access patterns
- Implement log scanning rules to detect credential patterns in new log entries
Monitoring Recommendations
- Enable SentinelOne Singularity to monitor file access patterns to log directories containing Snowflake Connector output
- Configure alerts for unusual access to application log files by non-service accounts
- Implement real-time log scanning for credential exposure patterns
- Monitor Snowflake connection attempts and flag authentication from unexpected sources
- Track changes to logging configuration files that could enable DEBUG mode
How to Mitigate CVE-2024-49750
Immediate Actions Required
- Upgrade the Snowflake Connector for Python to version 3.12.3 or later immediately
- Review all existing log files for potentially exposed credentials and rotate any compromised secrets
- Disable DEBUG-level logging in production environments unless absolutely necessary
- Audit Azure SAS tokens, Duo configurations, and JWT tokens that may have been logged
- Implement log retention policies that securely purge historical logs containing sensitive data
Patch Information
Snowflake has released version 3.12.3 of the Snowflake Connector for Python which addresses this vulnerability. The fix ensures proper sanitization of sensitive authentication parameters in DEBUG logs and corrects the SecretDetector formatter bugs to fully redact JWT tokens and private key formats. Users should upgrade immediately using pip:
For additional details, refer to the GitHub Security Advisory GHSA-5vvg-pvhp-hv2m and the associated commit for technical implementation details.
Workarounds
- Set logging level to INFO or higher in production environments to prevent sensitive data from being logged
- Implement custom log filters to redact sensitive parameters before they reach log handlers
- Restrict file permissions on log directories to prevent unauthorized access
- Configure log aggregation platforms to automatically redact or mask credential patterns
- Use environment variables or secure vaults for credential management instead of passing passcodes as parameters
# Configuration example - Upgrade Snowflake Connector and verify version
pip install --upgrade snowflake-connector-python>=3.12.3
python -c "import snowflake.connector; print(snowflake.connector.__version__)"
# Set logging level to INFO or higher in production
export SNOWFLAKE_LOG_LEVEL=INFO
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
