Insecure TLS Setting in ActionMailer SMTP Configuration

Description

The ActionMailer SMTP configuration has insecure TLS settings, which do not require a successful, encrypted, and verified TLS connection. This could lead to man-in-the-middle attacks or eavesdropping.

Examples

Insecure Code

ruby

ActionMailer::Base.smtp_settings = { ..., openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE, ... }

Secure Code

ruby

ActionMailer::Base.smtp_settings = { ..., enable_starttls: true, openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER, ... }

Remediation

Set `enable_starttls: true` and `openssl_verify_mode` to verify peer in the ActionMailer SMTP configuration.

Rule Details

Field	Value
ID	CODE-0001
Category	InsecureConfig
Severity	HIGH
CWE	CWE-295
Confidence	HIGH
Impact	HIGH
Likelihood	HIGH
Exploitability	EASY
Tags	smtp, tls
OWASP	N/A

References

https://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Insecure TLS Setting in ActionMailer SMTP Configuration

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Insecure TLS Setting in ActionMailer SMTP Configuration ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Insecure TLS Setting in ActionMailer SMTP Configuration

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References