Cleartext Transmission of Sensitive Information

Property
Languagejava
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Cookies are being created without explicitly setting the ‘secure’ flag to true, which means they can be transmitted over unencrypted HTTP connections. This exposes sensitive cookie data to network eavesdroppers.

Impact

If exploited, attackers could intercept cookies containing session or authentication information over insecure networks, leading to account hijacking, session fixation, or exposure of sensitive user data. This compromises both user privacy and application security.

Cleartext Transmission of Sensitive Information

Property
Languagetypescript
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The S3 bucket is created without enforcing SSL connections (’enforceSSL’ is not set to true), allowing clients to access the bucket over unencrypted HTTP. This exposes any data transmitted to or from the bucket to interception.

Impact

Sensitive information stored or retrieved from the S3 bucket could be intercepted by attackers if accessed over insecure connections. This may lead to data leaks, compliance violations, and increases the risk of man-in-the-middle attacks compromising your application’s confidentiality.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

The code is making network requests using HTTP instead of HTTPS, which means data sent and received is not encrypted. This exposes sensitive information to anyone who can intercept the network traffic.

Impact

Attackers on the same network could eavesdrop on or tamper with data being transmitted, potentially stealing credentials, personal data, or injecting malicious content. This can lead to data breaches, compromised user accounts, and loss of user trust.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Database connections using Sequelize are established without enforcing TLS/SSL encryption, meaning sensitive data like credentials can be transmitted in plain text over the network. This exposes the connection to interception by attackers.

Impact

Without TLS/SSL, attackers on the network could eavesdrop on or tamper with database traffic, stealing credentials or sensitive data and potentially injecting malicious data. This undermines both data confidentiality and integrity, putting application and user information at risk.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The code configures the database connection to use outdated TLS versions (1.0 or 1.1), which are no longer considered secure. This weakens the encryption used for data sent between your app and the database.

Impact

Using deprecated TLS versions makes it easier for attackers to intercept or tamper with sensitive data, potentially exposing user information or credentials. This can lead to data breaches, compliance violations, and undermine the security of your application.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

FTP connections made using the ‘ftp’ module in Node.js without setting ‘secure: true’ send data, including credentials, over the network without encryption. This exposes sensitive information to anyone who can monitor network traffic.

Impact

An attacker could intercept and read unencrypted FTP traffic, potentially stealing usernames, passwords, or other sensitive data transmitted between your application and the FTP server. This could lead to data breaches, compromised accounts, or further attacks on your systems.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The code sets up a Telnet server or client, which communicates without encrypting data. This means any sensitive information sent or received (like passwords) can be viewed by anyone monitoring the network.

Impact

Attackers can intercept and read all information exchanged over Telnet, including credentials and private data. This exposes users and systems to risks like credential theft, unauthorized access, and data breaches.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The code is making HTTP requests to external sites using popular Node.js libraries (like axios, got, or node-rest-client) without encryption. Sending data over plain HTTP means sensitive information can be easily intercepted by attackers.

Impact

If exploited, attackers can eavesdrop on unencrypted network traffic, stealing credentials, session tokens, or other sensitive data. This can lead to account compromise, data breaches, and loss of user trust in your application.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The server is configured to allow outdated security protocols (SSL v2, SSL v3, or TLS v1), which are known to be insecure. These protocols are vulnerable to various attacks and should be explicitly disabled when creating HTTPS servers.

Impact

Allowing these deprecated protocols can let attackers intercept or modify sensitive data in transit, potentially leading to data breaches, session hijacking, or unauthorized access. This exposes both users and the application to significant security risks.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

Disabling TLS verification by setting NODE_TLS_REJECT_UNAUTHORIZED to 0 or using rejectUnauthorized: false allows connections to untrusted servers. This bypasses certificate validation and makes secure connections insecure.

Impact

Attackers can intercept and read sensitive data by performing man-in-the-middle attacks, since the application will trust any server, even malicious ones. This can lead to data theft, account compromise, and loss of user trust.