problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request
semgrep
Author
6,272
Download Count*
License
Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.
Run Locally
Run in CI
Defintion
rules:
- id: telnet-request
message: Checks for attempts to connect through telnet. This is insecure as the
telnet protocol supports no encryption, and data passes through
unencrypted.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
pattern: |
$TELNETCLIENT = new TelnetClient(...);
...
$TELNETCLIENT.connect(...);
Examples
telnet-request.java
class Bad {
public void badtelnet1() {
//ruleid: telnet-request
TelnetClient telnet = new TelnetClient();
telnet.connect("rainmaker.wunderground.com");
}
public void badtelnet2() {
TelnetClient telnet = null;
//ruleid: telnet-request
telnet = new TelnetClient();
telnet.connect("rainmaker.wunderground.com");
}
}
Short Link: https://sg.run/XBQB