problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request

profile photo of returntocorpreturntocorp
Author
6,272
Download Count*

Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.

Run Locally

Run in CI

Defintion

rules:
  - id: telnet-request
    message: Checks for attempts to connect through telnet. This is insecure as the
      telnet protocol supports no encryption, and data passes through
      unencrypted.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    pattern: |
      $TELNETCLIENT = new TelnetClient(...);
      ...
      $TELNETCLIENT.connect(...);

Examples

telnet-request.java

class Bad {
    public void badtelnet1() {
        //ruleid: telnet-request
        TelnetClient telnet = new TelnetClient();
        telnet.connect("rainmaker.wunderground.com");
    }

    public void badtelnet2() {
        TelnetClient telnet = null;
        //ruleid: telnet-request
        telnet = new TelnetClient();
        telnet.connect("rainmaker.wunderground.com");
    }
}