Improper Validation of Certificate with Host Mismatch

scala.smtp.scala_smtp_rule_insecuresmtp

Severity

high

Resource

Smtp

Language

Scala

Description

Server identity verification is disabled when making SSL connections.

Rationale

Server identity verification is disabled when making SSL connections.

The following code illustrates a vulnerable pattern detected by this rule:

def main(args: Array[String]): Unit = {
  // VULNERABLE: Improper Validation of Certificate with Host Mismatch
  val email = new SimpleEmail
  email.setHostName("smtp.googlemail.com")
  email.setSSLOnConnect(false) //OK

  // VULNERABLE: Improper Validation of Certificate with Host Mismatch
  val email2 = new SimpleEmail
  email2.setHostName("smtp2.googlemail.com")
  email2.setSSLOnConnect(true) //BAD

  //email2.setSmtpPort(465);
  //email2.setAuthenticator(new DefaultAuthenticator("username", "password"));
  //email2.setFrom("user@gmail.com");
  //email2.setSubject("TestMail");
  //email2.setMsg("This is a test mail ... :-)");
  //email2.addTo("foo@bar.com");
  //email2.send();
  // VULNERABLE: Improper Validation of Certificate with Host Mismatch
  val emailMulti = new MultiPartEmail
  emailMulti.setHostName("mail.myserver.com")
  emailMulti.setSSLOnConnect(true)
  // VULNERABLE: Improper Validation of Certificate with Host Mismatch
  val htmlEmail = new HtmlEmail
  htmlEmail.setHostName("mail.myserver.com")
  htmlEmail.setSSLOnConnect(true)

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-297
OWASP Top 10 2021 - A02 : Cryptographic Failures.