Java Smtp Trusts All Certs
Description
Detects insecure SMTP email connections in Java applications using Apache Commons Email where SSL certificate validation is disabled or missing. This vulnerability could allow attackers to intercept email communications through man-in-the-middle attacks, potentially exposing sensitive information.
Detection Strategy
• Check if the Apache Commons Email library (org.apache.commons.mail) is imported in the code
• Look for email send() method calls in the code
• Verify if the email object is created using SimpleEmail or similar unsafe email constructors
• Check if there are no proper SSL/TLS certificate validation checks for the email connection
• Report a vulnerability if an email is sent without proper certificate validation
Vulnerable code example
import org.apache.commons.mail.Email;
import org.apache.commons.mail.SimpleEmail;
import org.apache.commons.mail.DefaultAuthenticator;
public void sendInsecureEmail() {
Email email = new SimpleEmail();
email.setHostName("smtp.server.com");
email.setSmtpPort(465);...✅ Secure code example
import org.apache.commons.mail.Email;
import org.apache.commons.mail.SimpleEmail;
import org.apache.commons.mail.DefaultAuthenticator;
public void sendSecureEmail() {
Email email = new SimpleEmail();
email.setHostName("smtp.server.com");
email.setSmtpPort(465);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.