Insecure gRPC Connection
Description
Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
Examples
Insecure Code
javascript
const creds = grpc.credentials.createInsecure();Secure Code
javascript
const creds = grpc.credentials.createSsl();Remediation
Use a secure connection by creating credentials with encryption, such as SSL/TLS.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0375 |
| Category | InsecureConfig |
| Severity | CRITICAL |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | encryption, tls |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |