150 – Use of an insecure channel - useSslProtocol()
Description
The application uses useSslProtocol() function, which allows the trust manager to trust all server certificates presented to it, this is convenient for local development, but is not recommended for use in production, as it does not provide protection against man-in-the-middle attacks.
Impact
Intercept sensitive information over an insecure channel.
Recommendation
Preferably make use of useSslProtocol(SSLContext).
Threat
Anonymous attacker on the internal network running a MitM.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: A
- Attack complexity: H
- Attack Requirements: N
- Privileges required: N
- User interaction: A
- Confidentiality (VC): L
- Integrity (VI): N
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P