Improper Certificate Validation
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-295: Improper Certificate Validation |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code disables SSL certificate verification by using ‘OpenSSL::SSL::VERIFY_NONE’, which allows connections to untrusted or malicious servers. This means encrypted connections are not properly validated and can be easily intercepted.
Impact#
Attackers could perform man-in-the-middle attacks to intercept or alter sensitive data transmitted over SSL/TLS connections, such as login credentials or personal information. This exposes users and the application to data theft, impersonation, and loss of trust.