SYM_RB_0018 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Certificate Validation
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-295: Improper Certificate Validation |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
The code disables SSL certificate verification by using 'OpenSSL::SSL::VERIFY_NONE', which allows connections to untrusted or malicious servers. This means encrypted connections are not properly validated and can be easily intercepted.
Impact
Attackers could perform man-in-the-middle attacks to intercept or alter sensitive data transmitted over SSL/TLS connections, such as login credentials or personal information. This exposes users and the application to data theft, impersonation, and loss of trust.