Missing SSL host check in SMTP

Description

SSL certificates must be validated to check that the certificate is from the expected host and the server identity is correct. Without such checks in place, the application is at risk of redirection or spoofing attacks, where an attacker impersonates a trusted host by using a valid SSL certificate from a different host.

Remediation

✅ Always configure email client to check server identity

  Email email = new Email();

email.setSSLOnConnect(true);
email.setSSLCheckServerIdentity(true);

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_missing_smtp_ssl_host_check

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_missing_smtp_ssl_host_check

Ready to take the next step? Learn more about Bearer Cloud.