CVE-2023-51662 MEDIUM

CVE-2023-51662: Snowflake Connector .NET does not properly check the Certificate Revocation List (CRL)

Vendor Snowflakedb
Product snowflake-connector-net
Weakness CWE-295
Published December 22, 2023
Last update August 2, 2024

CVSS base score

6.0/10
Attack vector Adjacent
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

The Snowflake .NET driver provides an interface to the Microsoft .NET open source software framework for developing applications. Snowflake recently received a report about a vulnerability in the Snowflake Connector .NET where the checks against the Certificate Revocation List (CRL) were not performed where the insecureMode flag was set to false, which is the default setting. The vulnerability affects versions between 2.0.25 and 2.1.4 (inclusive). Snowflake fixed the issue in version 2.1.5.

Key dates

02Disclosure timeline

December 22, 2023 CVE published
August 2, 2024 Record updated