Missing SSL host check in SMTP

Overview

• Rule ID: java_lang_missing_smtp_ssl_host_check

• Applicable Languages: Java

• Weakness ID: CWE-297

Description

The absence of an SSL host check in SMTP can compromise the security of email communications. This vulnerability occurs when SSL certificates are not correctly validated to verify their origin from the expected host. This oversight may enable attackers to impersonate legitimate entities by using valid SSL certificates obtained from other hosts.

Remediation Guidelines

• Ensure your email client is configured to verify the server's identity. This step is essential to prevent attackers from impersonating a trusted server, thereby avoiding redirection or spoofing attacks.

  Copy

  Email email = new Email();
  email.setSSLOnConnect(true);
  email.setSSLCheckServerIdentity(true);

References

• CWE-297: Improper Validation of Certificate with Host Mismatch

• OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL