Key Exchange without Entity Authentication
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-322: Key Exchange without Entity Authentication |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code configures a Paramiko SSH client to automatically trust any server’s host key without verifying its authenticity. This means your application will connect to any SSH server, including potentially malicious ones, without checking if it’s the intended host.
Impact#
If exploited, an attacker could perform a man-in-the-middle attack by impersonating a trusted server, intercepting sensitive data or credentials transmitted over SSH. This undermines the security of SSH connections and could lead to unauthorized access or data breaches.