Missing SSL host check in SMTP

• Rule ID: java_lang_missing_smtp_ssl_host_check
• Languages: java
• Source: missing_smtp_ssl_host_check.yml

Description

Missing SSL host check in SMTP can compromise the security of email communications. This vulnerability arises when SSL certificates are not properly validated to ensure they originate from the anticipated host, potentially allowing attackers to pose as legitimate entities by leveraging valid SSL certificates from other hosts.

Remediations

• Do configure your email client to verify the server's identity. This step is crucial to prevent attackers from impersonating a trusted server, which could lead to redirection or spoofing attacks.

  Email email = new Email();
  email.setSSLOnConnect(true);
  email.setSSLCheckServerIdentity(true);

Associated CWE

• CWE-297: Improper Validation of Certificate with Host Mismatch

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_missing_smtp_ssl_host_check

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_missing_smtp_ssl_host_check