MongoDB Client with SSL Hostname Verification Disabled
Description
The MongoDB client has SSL hostname verification disabled, which can lead to man-in-the-middle attacks. This is a security risk because it allows an attacker to impersonate the MongoDB server.
Examples
Insecure Code
java
$SETTINGS.invalidHostNameAllowed(true)Secure Code
java
$SETTINGS.invalidHostNameAllowed(false)Remediation
Enable SSL hostname verification by setting invalidHostNameAllowed to false.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0292 |
| Category | Crypto |
| Severity | CRITICAL |
| CWE | CWE-295 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | mongodb, ssl, tls |
| OWASP | N/A |