Property
Language
Severity
CWE	CWE-326: Inadequate Encryption Strength
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

Using ‘ssl.wrap_socket()’ creates an insecure SSL/TLS connection because it does not support critical security features like server name indication and hostname verification. This makes the encrypted connection vulnerable to interception or impersonation.

Impact

If exploited, attackers could perform man-in-the-middle attacks to intercept or alter sensitive data transmitted over the connection, potentially exposing credentials, personal information, or other confidential data and undermining trust in the application’s security.

Property
Language
Severity
CWE	CWE-326: Inadequate Encryption Strength
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

The code uses outdated or insecure SSL/TLS versions (such as SSLv2, SSLv3, TLSv1.0, or TLSv1.1) for secure connections. These protocols are deprecated and contain known vulnerabilities that make encrypted communications unsafe.

Impact

Attackers could exploit weaknesses in these old protocols to intercept or manipulate sensitive data, perform man-in-the-middle attacks, or decrypt confidential information. This can lead to data breaches, loss of user trust, and regulatory compliance violations.

Property
Language
Severity
CWE	CWE-326: Inadequate Encryption Strength
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Manually setting SSL/TLS ciphers using set_ciphers() can override Python’s secure defaults and unintentionally enable weak or outdated encryption. This increases the risk of using insecure cryptographic algorithms.

Impact

If weak ciphers are enabled, attackers could exploit vulnerabilities to decrypt or tamper with sensitive data in transit. This can lead to information disclosure, compromised user data, or interception of confidential communications.

Property
Language
Severity
CWE	CWE-326: Inadequate Encryption Strength
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code is generating RSA keys with a size less than 2048 bits, which is below current security standards. Keys of this size are considered weak and can be vulnerable to modern attacks.

Impact

Using insufficiently sized RSA keys makes it easier for attackers to break the encryption, potentially exposing sensitive data or allowing unauthorized access. This could compromise confidential information and undermine the security of your application or users.

Property
Language
Severity
CWE	CWE-326: Inadequate Encryption Strength
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code generates elliptic curve (EC) keys using curves with insufficient key sizes (e.g., SECP192R1 or SECT163K1), which do not meet current security standards. This makes the cryptographic keys easier to break with modern computing power.

Impact

Using weak EC key sizes can allow attackers to compromise encrypted data by cracking the keys faster, leading to potential data breaches, unauthorized access, or exposure of sensitive information. This undermines the overall security of your application and may put user data at risk.

Property
Language
Severity
CWE	CWE-326: Inadequate Encryption Strength
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code generates DSA cryptographic keys with a size less than 2048 bits, which is considered too weak by modern security standards. This makes the keys easier to break using current computing power.

Impact

Using weak DSA keys can allow attackers to crack the encryption, leading to exposure of sensitive data, impersonation, or unauthorized access. This undermines the security of your application and puts both user and organizational data at risk.

Property
Language
Severity
CWE	CWE-326: Inadequate Encryption Strength
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	Low

Description

The code is generating RSA keys with a size smaller than 3072 bits, which is below current security standards. This makes the encryption easier to break using modern computing power.

Impact

Using weak RSA keys can allow attackers to decrypt sensitive data, impersonate users, or bypass authentication. This exposes confidential information and could lead to data breaches or loss of trust in your application.

Property
Language
Severity
CWE	CWE-326: Inadequate Encryption Strength
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	Low

Description

The code is generating DSA keys with a size smaller than 2048 bits, which is considered insecure by current standards. Using weak keys makes encrypted data easier to break with modern computing power.

Impact

Attackers could exploit the weak DSA keys to compromise encrypted communications or sensitive data, potentially leading to data breaches, unauthorized access, or loss of confidentiality. This puts user information and the integrity of the application at significant risk.

Property
Language
Severity
CWE	CWE-326: Inadequate Encryption Strength
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

The code is generating RSA encryption keys with a size smaller than 2048 bits, which does not meet current security standards and can be easily broken by attackers. Using weak key sizes undermines the effectiveness of encryption.

Impact

Attackers could decrypt sensitive data, impersonate users, or tamper with protected information by exploiting the weak RSA keys. This exposes the application and its users to data breaches and loss of confidentiality, putting compliance and trust at risk.

Property
Language	apex
Severity
CWE	CWE-540: Inclusion of Sensitive Information in Source Code
Confidence Level	High
Impact Level	High
Likelihood Level	Low

Description

Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone.