SYM_GO_0071 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Cleartext Transmission of Sensitive Information
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
The code sets the minimum TLS version to an outdated and insecure protocol (TLS 1.0, TLS 1.1, or SSL 3.0) when creating a tls.Config object. These protocols are deprecated and no longer provide adequate protection for data in transit.
Impact
Using insecure TLS versions exposes sensitive information to attackers who can exploit known weaknesses (like POODLE or man-in-the-middle attacks) to intercept, read, or modify data sent between clients and servers. This can lead to data breaches, credential theft, and compliance violations.