Missing SSL host check in SMTP

Overview

Rule ID: java_lang_missing_smtp_ssl_host_check
Applicable Languages: Java
Weakness ID: CWE-297

Description

The absence of an SSL host check in SMTP can compromise the security of email communications. This vulnerability occurs when SSL certificates are not correctly validated to verify their origin from the expected host. This oversight may enable attackers to impersonate legitimate entities by using valid SSL certificates obtained from other hosts.

Remediation Guidelines

Ensure your email client is configured to verify the server's identity. This step is essential to prevent attackers from impersonating a trusted server, thereby avoiding redirection or spoofing attacks.
```
Email email = new Email();
email.setSSLOnConnect(true);
email.setSSLCheckServerIdentity(true);
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing signature verification of JWT NextMissing Support for Integrity Check

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration