SYM_PY_0001 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Cleartext Transmission of Sensitive Information
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The security context for Dask (distributed.security.Security) is being initialized without enabling encryption (require_encryption=False), which means data may be sent over the network in plain text. This exposes sensitive information to anyone who can intercept the network traffic.
Impact
Without encryption, attackers could eavesdrop on or manipulate sensitive data transmitted between Dask components, leading to data breaches, credential theft, or unauthorized access. This can compromise the confidentiality and integrity of your distributed computations and sensitive user data.