Skip to main content

Use of an insecure channel

Description

The system transmits information through a channel without encryption.

Impact

Capture confidential information and credentials in plain text.

Recommendation

Deploy the application over an encrypted communication channel, for instance, HTTPS with TLS.

Threat

Anonymous attacker on adjacent network performing a man-in-the-middle.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 3.5
    • Temporal: 3.2
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Use secure channels to deploy the application

import org.apache.commons.net.ftp.FTPSClient
import org.apache.commons.net.smtp.SMTPSClient

fun main() {
val ftpClient = FTPClient()
val smtpsClient = SMTPSClient()
val spec2: ConnectionSpec = ConnectionSpec.Builder(
ConnectionSpec.MODERN_TLS
)
}

Non compliant code

Some insecure channels are used to deploy the application

import org.apache.commons.net.ftp.FTPClient
import org.apache.commons.net.smtp.SMTPClient
import org.apache.commons.net.telnet.TelnetClient

fun main() {
val telnet = TelnetClient()

val ftpClient = FTPClient()
val ftpsClient = FTPSClient()

val smtpClient = SMTPClient()
val smtpsClient = SMTPSClient()
}

Requirements