Veracode Vulnerability DatabaseVERACODE:44835Improper Certificate Validation
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
4.6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
18.2%
Snowflake.data is vulnerable to Improper Certificate Validation. The vulnerability is due to not checking the Certificate Revocation List (CRL) when insecureMode is set to its default value of false. This allows an attacker with access to the private key of a correctly issued certificate to execute a Man-in-the-Middle (MitM) attack to compromise credentials used by the driver.
| CPE | Name | Operator | Version |
|---|---|---|---|
| snowflake.data | le | 2.1.4 | |
| snowflake.data | le | 2.1.4 |
References
docs.snowflake.com/release-notes/clients-drivers/dotnet-2023#version-2-1-5-december-18-2023
github.com/advisories/GHSA-hwcc-4cv8-cf3h
github.com/snowflakedb/snowflake-connector-net/commit/49cb77ddd6e18c110eca35aa580e89d73c46cc33
github.com/snowflakedb/snowflake-connector-net/security/advisories/GHSA-hwcc-4cv8-cf3h
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
4.6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
18.2%