Channel Accessible by Non-Endpoint
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-300: Channel Accessible by Non-Endpoint |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | High |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The gRPC client is being configured to connect to the server without encryption by using grpc.WithInsecure(). This means all data sent between client and server is transmitted in plain text and can be intercepted.
Impact#
Without encryption, attackers on the network can read or modify sensitive gRPC messages, potentially exposing confidential data or injecting malicious commands. This undermines the security of both client and server, making it easier for attackers to compromise the application or gain unauthorized access.