SYM_JAVA_0076 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Validation of Certificate with Host Mismatch
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-297: Improper Validation of Certificate with Host Mismatch |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code sends emails over SMTP using SSL/TLS but does not verify the mail server's SSL certificate identity. This means any certificate is accepted, making the connection vulnerable to impersonation.
Impact
Without verifying the SMTP server's SSL certificate, attackers can perform man-in-the-middle attacks to intercept or alter email contents, steal credentials, or send fraudulent emails as if they are from your application, potentially leading to data breaches or loss of trust.