logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-51662 snowflake.data

Package

Manager: nuget
Name: snowflake.data
Vulnerable Version: >=2.0.25 <2.1.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00266 pctl0.49858

Details

Snowflake Connector .NET does not properly check the Certificate Revocation List (CRL) ### Issue Snowflake recently received a report about a vulnerability in the Snowflake Connector .NET where the checks against the Certificate Revocation List (CRL) were not performed where the insecureMode flag was set to false, which is the default setting. The vulnerability affects versions between 2.0.25 and 2.1.4 (inclusive). Snowflake fixed the issue in [version 2.1.5](https://docs.snowflake.com/release-notes/clients-drivers/dotnet-2023#version-2-1-5-december-18-2023). ### Attack Scenario Snowflake uses CRL to check if a TLS certificate has been revoked before its expiration date. The lack of correct validation of revoked certificates could, in theory, allow an attacker who has both access to the private key of a correctly issued Snowflake certificate and the ability to intercept network traffic to perform a Man-in-the-Middle (MitM) attack in order to compromise Snowflake credentials used by the driver. The vulnerability is difficult to exploit given both conditions required and, at the time of this advisory's publication, Snowflake is not aware of any compromise of its certificates, nor unauthorized issuance of such by any publicly trusted Certificate Authority (CA). However, an upgrade to the newest version is recommended to ensure the highest level of security and protection against future unforeseen threats. ### Solution On December 18, 2023, Snowflake released [version 2.1.5](https://docs.snowflake.com/release-notes/clients-drivers/dotnet-2023#version-2-1-5-december-18-2023) of the Snowflake Connector .NET, which fixes the issue, and we recommend users upgrade to [version 2.1.5](https://docs.snowflake.com/release-notes/clients-drivers/dotnet-2023#version-2-1-5-december-18-2023). Customers continuing to use the impacted versions of the connector should update their insecureMode flag to true. ### Acknowledgement Snowflake would like to thank [Timo Vink](https://github.com/TimoVink) for reporting this vulnerability. ### Additional Information If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).

Metadata

Created: 2023-12-22T19:51:09Z
Modified: 2023-12-22T19:51:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-hwcc-4cv8-cf3h/GHSA-hwcc-4cv8-cf3h.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-hwcc-4cv8-cf3h
Finding: F163
Auto approve: 1