SYM_PY_0030 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Key Exchange without Entity Authentication
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-322: Key Exchange without Entity Authentication |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code configures a Paramiko SSH client to automatically trust any server's host key without verifying its authenticity. This means your application will connect to any SSH server, including potentially malicious ones, without checking if it's the intended host.
Impact
If exploited, an attacker could perform a man-in-the-middle attack by impersonating a trusted server, intercepting sensitive data or credentials transmitted over SSH. This undermines the security of SSH connections and could lead to unauthorized access or data breaches.