Description
Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
Potential Impact
Confidentiality
Read Application Data
Integrity
Modify Application Data
Mitigations & Prevention
The product configuration should ensure that SSL or an encryption mechanism of equivalent strength and vetted reputation is used for all access-controlled pages.
Related Weaknesses
Taxonomy Mappings
- 7 Pernicious Kingdoms: — J2EE Misconfiguration: Insecure Transport
Frequently Asked Questions
What is CWE-5?
CWE-5 (J2EE Misconfiguration: Data Transmission Without Encryption) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
How can CWE-5 be exploited?
Attackers can exploit CWE-5 (J2EE Misconfiguration: Data Transmission Without Encryption) to read application data. This weakness is typically introduced during the Implementation, Operation phase of software development.
How do I prevent CWE-5?
Key mitigations include: The product configuration should ensure that SSL or an encryption mechanism of equivalent strength and vetted reputation is used for all access-controlled pages.
What is the severity of CWE-5?
CWE-5 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.