Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code sends HTTP requests using Apache HTTP Components over unencrypted ‘http://’ URLs instead of secure ‘https://’. This exposes any data sent or received to interception by attackers.

Impact

Sensitive information such as authentication credentials, personal data, or session tokens could be intercepted or tampered with by attackers monitoring network traffic. This may lead to data breaches, account compromise, or unauthorized access to your application and its users.

Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code sends HTTP requests using Unirest to URLs that start with ‘http://’, which means data is transmitted without encryption. This exposes any sensitive information in the request to interception.

Impact

Attackers on the network can eavesdrop on unencrypted traffic, potentially capturing sensitive data like login credentials or personal information. This can lead to data breaches, account compromise, and violation of privacy or compliance requirements.

Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

The code creates SSL connections that allow outdated protocols like SSL v2, SSL v3, or TLS v1, which are no longer secure. These older protocols have known vulnerabilities and should be explicitly disabled in favor of TLS 1.2 or TLS 1.3.

Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

Disabling or bypassing TLS/SSL certificate verification in X509TrustManager allows insecure connections, making the app trust any server certificate. This exposes sensitive data to interception and should only be used temporarily for debugging, never in production.

Impact

If exploited, attackers could perform man-in-the-middle (MITM) attacks to intercept, read, or modify data transmitted between the app and its servers. This can lead to the exposure of user credentials, personal information, and other sensitive data, resulting in data breaches and loss of user trust.

Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code sends HTTP requests using HttpClient to URLs that start with ‘http://’, which means data is transmitted without encryption. This exposes any information sent or received to potential interception by attackers.

Impact

Sensitive data such as credentials or personal information can be read or modified by attackers on the network. This can lead to data breaches, session hijacking, and compromise of user privacy or application security.

Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code sends HTTP requests using the HttpGet class over an unencrypted HTTP connection. This exposes any data sent or received—including sensitive information—to interception by attackers on the network.

Impact

If exploited, attackers could eavesdrop on or modify data transmitted between the application and the server, potentially stealing credentials, personal data, or injecting malicious content. This can lead to data breaches, compromised user accounts, and loss of trust in your application.

Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code sends HTTP requests using HttpURLConnection over an unencrypted (HTTP) connection instead of HTTPS. This means any data sent—including sensitive information—can be intercepted by attackers during transmission.

Impact

If exploited, attackers could eavesdrop on or tamper with data exchanged between the application and the server, potentially exposing user credentials, personal data, or other confidential information. This can lead to data breaches, account compromise, and loss of user trust.

Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code configures the client to use insecure or outdated TLS/SSL protocols (such as TLSv1 or any SSL versions) for network communication. These protocols are deprecated and have known vulnerabilities that can be exploited by attackers.

Impact

Using weak transport protocols allows attackers to intercept or manipulate sensitive data sent between the client and server, potentially leading to data theft, account compromise, or unauthorized access to confidential information. This can expose users and the organization to data breaches and compliance violations.

Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

The code is creating Java sockets (ServerSocket or Socket) without encryption, which means data sent over the network is transmitted in plain text. This exposes sensitive information to anyone who can intercept the network traffic.

Impact

If exploited, attackers could eavesdrop on or tamper with data exchanged between clients and servers, leading to exposure of credentials, personal information, or other confidential data. This can result in data breaches, identity theft, or unauthorized access to the application.

Property
Language	java
Severity
CWE	CWE-319: Cleartext Transmission of Sensitive Information
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The cookie is created without setting the ‘secure’ flag to true, which means it can be sent over unencrypted HTTP connections. This exposes sensitive cookie data, like session identifiers, to potential interception.

Impact

If the secure flag is not set, attackers on the same network can easily capture cookies through network sniffing, potentially hijacking user sessions or accessing private data. This can lead to account compromise and unauthorized access to sensitive areas of the application.