Insecure SMTP SSL Configuration

Description

The Apache commons mail client does not enable TLS server identity by default, allowing an adversary to intercept sensitive information or transmit malicious data.

Examples

Insecure Code

java

Email email = new SimpleEmail();
email.setHostName("smtp.mail.example.com");
email.setSmtpPort(465);
email.setSSLOnConnect(true);

Secure Code

java

Email email = new SimpleEmail();
email.setHostName("smtp.mail.example.com");
email.setSmtpPort(465);
email.setSSLOnConnect(true);
email.setSSLCheckServerIdentity(true);

Remediation

Enable checking server identity by calling `Email.setSSLCheckServerIdentity(true)` and ensure SSL is used on connect with `Email.setSSLOnConnect(true)`

Rule Details

Field	Value
ID	CODE-0721
Category	InsecureConfig
Severity	MEDIUM
CWE	CWE-297
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	TLS, SSL, Server Identity
OWASP	A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Insecure SMTP SSL Configuration

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Insecure SMTP SSL Configuration ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Insecure SMTP SSL Configuration

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details