Cleartext Transmission of Sensitive Information
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code sets the minimum TLS version to an outdated and insecure protocol (TLS 1.0, TLS 1.1, or SSL 3.0) when creating a tls.Config object. These protocols are deprecated and no longer provide adequate protection for data in transit.
Impact#
Using insecure TLS versions exposes sensitive information to attackers who can exploit known weaknesses (like POODLE or man-in-the-middle attacks) to intercept, read, or modify data sent between clients and servers. This can lead to data breaches, credential theft, and compliance violations.