Inadequate Encryption Strength
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-326: Inadequate Encryption Strength |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using ‘ssl.wrap_socket()’ creates an insecure SSL/TLS connection because it does not support critical security features like server name indication and hostname verification. This makes the encrypted connection vulnerable to interception or impersonation.
Impact#
If exploited, attackers could perform man-in-the-middle attacks to intercept or alter sensitive data transmitted over the connection, potentially exposing credentials, personal information, or other confidential data and undermining trust in the application’s security.