java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection
Verifed by r2c
Community Favorite
semgrepAuthor
98,708
Download Count*
License
Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-smtp-connection
metadata:
cwe:
- "CWE-297: Improper Validation of Certificate with Host Mismatch"
owasp:
- A07:2021 - Identification and Authentication Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL
category: security
technology:
- java
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
message: Insecure SMTP connection detected. This connection will trust any SSL
certificate. Enable certificate verification by setting
'email.setSSLCheckServerIdentity(true)'.
severity: WARNING
patterns:
- pattern-not-inside: |
$EMAIL.setSSLCheckServerIdentity(true);
...
- pattern-inside: |
$EMAIL = new SimpleEmail(...);
...
- pattern: $EMAIL.send(...);
languages:
- java
Examples
insecure-smtp-connection.java
public class Cls {
// cf. https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL
public void sendEmail(String username, String password) {
Email email = new SimpleEmail();
email.setHostName("smtp.servermail.com");
email.setSmtpPort(465);
email.setAuthenticator(new DefaultAuthenticator(username, password));
email.setSSLOnConnect(true);
email.setFrom("user@gmail.com");
email.setSubject("TestMail");
email.setMsg("This is a test mail ... :-)");
email.addTo("foo@bar.com");
// ruleid:insecure-smtp-connection
email.send();
}
public void sendEmailSafe(String username, String password) {
Email email = new SimpleEmail();
email.setHostName("smtp.servermail.com");
email.setSmtpPort(465);
email.setAuthenticator(new DefaultAuthenticator(username, password));
email.setSSLOnConnect(true);
email.setSSLCheckServerIdentity(true);
email.setFrom("user@gmail.com");
email.setSubject("TestMail");
email.setMsg("This is a test mail ... :-)");
email.addTo("foo@bar.com");
email.send();
}
}
Short Link: https://sg.run/vzN4