CVE-2023-51662: 
C# vulnerability analysis and mitigation

The Snowflake Connector .NET vulnerability (CVE-2023-51662) was discovered in versions 2.0.25 through 2.1.4, where the Certificate Revocation List (CRL) checks were not properly performed when the insecureMode flag was set to false (the default setting). The vulnerability was fixed in version 2.1.5, released on December 18, 2023 (Release Notes, Vendor Advisory).

The vulnerability stems from improper certificate validation (CWE-295) in the Snowflake .NET driver. The driver failed to properly check the Certificate Revocation List when the insecureMode flag was set to false. The vulnerability has received a CVSS v3.1 base score of 7.5 HIGH (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) from NIST NVD (NVD).

If exploited, this vulnerability could potentially allow an attacker who has both access to the private key of a correctly issued Snowflake certificate and the ability to intercept network traffic to perform a Man-in-the-Middle (MitM) attack. This could lead to the compromise of Snowflake credentials used by the driver (Vendor Advisory).

Snowflake has released version 2.1.5 of the Snowflake Connector .NET on December 18, 2023, which addresses this vulnerability. Users are strongly recommended to upgrade to this version. For those who must continue using impacted versions, setting the insecureMode flag to true is recommended as a temporary workaround (Vendor Advisory).