Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4499

SMTP SSL connection should check server identity

    Details

    • Type: Vulnerability Detection
    • Status: Deprecated
    • Resolution: Unresolved
    • Labels:
      None
    • Message:
      Enable server identity validation on this SMTP SSL connection
    • Highlighting:
      Hide

      Instantiation of the Session/Connection object

      Show
      Instantiation of the Session/Connection object
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes

      Description

      When an SMTP SSL connection is created there is no validation of the SMTP server's identity by default in some email libraries. This is equivalent to trust all SSL certificates even the one issued by a hacked SMTP server. The SMTP SSL connection should validate the certifcate before using the connection to avoid leaking sensitive information on a hacked SSL connection.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4501 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: