Cleartext transmission of sensitive information
Description
The application uses a telnet library, which does not provide encryption. It is strongly recommended to use a more secure transport such as SSH.
Examples
Insecure Code
python
import telnetlibSecure Code
python
import paramiko
import scp
with paramiko.SSHClient() as ssh:
ssh.load_system_host_keys('/home/appuser/.ssh/known_hosts')
ssh.connect(hostname='example.org', port=22, username='appuser', key_filename='/home/appuser/.ssh/private_key')Remediation
Replace the telnet library with a secure alternative like paramiko for SSH connections.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0168 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-319 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | cleartext transmission, sensitive information |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |