Java Missing Ssl Check Server Identity
Description
Detects when Apache Commons Email is used without proper SSL server identity verification. This creates a security risk where attackers could perform man-in-the-middle attacks by intercepting SMTP communications with malicious servers, potentially exposing sensitive email content and credentials.
Detection Strategy
• Check if org.apache.commons.mail library is imported in the code
• Look for email send() method calls in the code
• Verify if the email object is created without proper SSL server identity verification
• Report vulnerability when send() is called on an email object that lacks SSL server identity checks
• Check the entire method scope to ensure no SSL protection is added before the send() call
Vulnerable code example
import org.apache.commons.mail.Email;
import org.apache.commons.mail.SimpleEmail;
import org.apache.commons.mail.DefaultAuthenticator;
public class InsecureSmtp {
public void sendUnsafeEmail() throws Exception {
// VULNERABLE: Email sent without SSL/TLS configuration
Email email = new SimpleEmail();...✅ Secure code example
import org.apache.commons.mail.Email;
import org.apache.commons.mail.SimpleEmail;
import org.apache.commons.mail.DefaultAuthenticator;
public class SecureSmtp {
public void sendSecureEmail() throws Exception {
Email email = new SimpleEmail();
email.setHostName("smtp.example.com");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.