Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The code sends HTTP requests over plain ‘http://’ URLs instead of secure ‘https://’, meaning data is transmitted without encryption. This exposes any information sent or received to being intercepted by attackers.

Impact

Attackers on the same network can eavesdrop on or modify sensitive data in transit, such as authentication tokens, personal information, or API responses. This can lead to data breaches, account compromise, and loss of user trust.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA02:2021 - Cryptographic Failures
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The code is using HTTP servers instead of HTTPS, which means data sent between clients and the server is not encrypted. This exposes sensitive information to anyone who can intercept the network traffic.

Impact

An attacker could eavesdrop on or tamper with data transmitted between users and your application, potentially stealing credentials, session tokens, or personal data. This can lead to user account compromise, data breaches, and loss of trust in your service.

Cleartext Transmission of Sensitive Information

Property
Languagejavascript
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The code creates an HTTPS server without explicitly disabling outdated protocols like SSL v2, SSL v3, and TLS v1. These protocols are insecure and can expose connections to known attacks.

Impact

If exploited, attackers could intercept or manipulate sensitive data transmitted over HTTPS, potentially leading to data theft, session hijacking, or man-in-the-middle attacks. This compromises both user privacy and application security.

Cleartext Transmission of Sensitive Information

Property
Languagephp
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The code uses FTP functions to transfer files, which sends data—including usernames, passwords, and file contents—over the network without encryption. This exposes sensitive information to anyone who can intercept the network traffic.

Impact

If exploited, attackers could capture confidential data or credentials during transfer, leading to unauthorized access, data breaches, or manipulation of files. This can compromise user privacy and the security of your application or infrastructure.

Cleartext Transmission of Sensitive Information

Property
Languagephp
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

The code disables SSL certificate verification in cURL requests by setting CURLOPT_SSL_VERIFYPEER to false, 0, or null. This allows connections to proceed even if the server’s SSL certificate is invalid or untrusted.

Impact

Disabling SSL verification exposes sensitive data to interception and man-in-the-middle attacks. Attackers could impersonate trusted servers, steal credentials, or alter data in transit, compromising the security of your application and its users.

Cleartext Transmission of Sensitive Information

Property
Languagepython
Severitymedium
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The security context for Dask (distributed.security.Security) is being initialized without enabling encryption (require_encryption=False), which means data may be sent over the network in plain text. This exposes sensitive information to anyone who can intercept the network traffic.

Impact

Without encryption, attackers could eavesdrop on or manipulate sensitive data transmitted between Dask components, leading to data breaches, credential theft, or unauthorized access. This can compromise the confidentiality and integrity of your distributed computations and sensitive user data.

Cleartext Transmission of Sensitive Information

Property
Languagepython
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Using Python’s telnetlib sends all data, including passwords, over the network without encryption. This makes sensitive information easily accessible to anyone who can intercept the traffic.

Impact

Attackers can eavesdrop on network communications and steal credentials or other sensitive data sent via Telnet, leading to unauthorized access and data breaches. Using unencrypted protocols like Telnet exposes your users and systems to significant security risks.

Cleartext Transmission of Sensitive Information

Property
Languagepython
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The code uses urllib to open URLs starting with ‘http://’, which means data is transmitted without encryption. This exposes any information sent or received to interception by attackers.

Impact

Sensitive data such as credentials, personal information, or session tokens could be captured or tampered with by anyone monitoring the network. This can lead to data breaches, account compromise, or other security incidents affecting users and the organization.

Cleartext Transmission of Sensitive Information

Property
Languagepython
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The code uses urllib.request.urlretrieve() to download files over an unencrypted HTTP connection. This exposes data to anyone on the network and does not protect against tampering or eavesdropping.

Impact

Attackers could intercept or modify files downloaded by your application, potentially injecting malicious code or stealing sensitive information. Users and systems relying on the downloaded content may be put at risk, and organizational data integrity can be compromised.

Cleartext Transmission of Sensitive Information

Property
Languagepython
Severitylow
CWECWE-319: Cleartext Transmission of Sensitive Information
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The code uses urllib to open an FTP URL, which transmits data in plain text without encryption. This means any sensitive information sent or received can be intercepted by attackers.

Impact

If exploited, attackers can eavesdrop on the network traffic to steal credentials, confidential data, or manipulate files being transferred. This can lead to data breaches or unauthorized access, especially if the FTP connection is used for sensitive operations.