Cleartext transmission of sensitive information
Description
The Sequelize connection string indicates that the database server does not use TLS. Non-TLS connections are susceptible to man-in-the-middle (MITM) attacks.
Examples
Insecure Code
javascript
const sequelize = new Sequelize('database', 'username', 'password', { host: 'localhost', dialect: 'mysql' });Secure Code
javascript
const sequelize = new Sequelize('database', 'username', 'password', { host: 'localhost', dialect: 'mysql', dialectOptions: { ssl: true } });Remediation
Enable TLS for the database connection by adding 'dialectOptions': {'ssl': true} to the Sequelize connection options.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0362 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-319 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | TLS, database security |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |