Inadequate Encryption Strength
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-326: Inadequate Encryption Strength |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The server configuration is missing the ‘ssl_protocols’ directive, which means outdated and insecure TLS versions (like TLSv1 and TLSv1.1) may be enabled by default. This exposes encrypted traffic to known vulnerabilities.
Impact#
Attackers could exploit weak encryption protocols to intercept or decrypt sensitive data transmitted between clients and the server. This can lead to data breaches, credential theft, or unauthorized access to confidential information.