Add new rule to check for context=None in nntp.starttls or NNTP_SSL

securesauce / precli

Precaution CLI - command line static application security testing tool

https://precli.readthedocs.io/

Other

22 stars 3 forks source link

Add new rule to check for context=None in nntp.starttls or NNTP_SSL #350

Closed ericwb closed 7 months ago

ericwb commented 7 months ago

If a context of unset or None is passed to NNTP_SSL, the implementation will default to creating an unverified context. This means the client connection will not properly verify the server its connecting to. The instance method of starttls is also vulnerable.

Closes: #343