Unverified SSL Context
Description
The application creates a SSL context using the `_create_unverified_context` method, which disables the validation of server certificates. This allows an adversary to intercept potentially sensitive information or transmit malicious data.
Examples
Insecure Code
python
ssl._create_unverified_context()Secure Code
python
ssl.create_default_context()Remediation
Remove the call to `_create_unverified_context` and create a default context using `ssl.create_default_context` or create a context with TLS 1.3.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0167 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-295 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | certificate validation, SSL context |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |