332 – Use of insecure channel - Source code

Description

Customer information is transmitted over a channel that does not use encryption.

Impact

- Capture sensitive information and credentials in plain text. - Intercept communication and steal or forge requests and responses.

Recommendation

Deploy the application over an encrypted communication channel, e.g. HTTPS using TLS.

Threat

Anonymous attacker in adjacent network executing a man-in-the-middle attack.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: P
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 181 - Transmit data using secure protocols

Fixes

• Cloudformation
• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Scala
• Swift
• Typescript

Last updated

2024/02/19