Improper Certificate Validation
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-295: Improper Certificate Validation |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code uses a TrustManager that does not properly validate SSL/TLS certificates, effectively accepting any certificate as trusted. This disables certificate verification and allows insecure connections.
Impact#
Attackers could intercept or tamper with sensitive data by performing man-in-the-middle attacks, since the application will trust any server certificate. This exposes users to data theft, credential compromise, and other serious security risks.