# Cleartext Transmission of Sensitive Information (CWE-319)

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

**Stack:** Kubernetes

- Prevalence: Élevée Fréquemment exploitée
- Impact: Élevé 5 règles de sévérité élevée
- Prevention: Documentée 6 exemples de correctifs

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

Many communication channels can be sniffed by attackers during data transmission. When sensitive data is transmitted without encryption, an attacker can intercept and read this information. Secure channels like TLS should be used to protect sensitive data in transit.

## Prevention

### Kubernetes

Configure TLS on Ingress resources to encrypt traffic in transit

Remove insecure-skip-tls-verify and use proper certificate verification with CA certificates

## Warning Signs

- [HIGH] Ingress exposes HTTP traffic without TLS encryption
- [HIGH] Kubernetes Ingress resources without TLS configuration
- [HIGH] TLS certificate verification disabled (vulnerable to MITM attacks)
- [HIGH] when TLS certificate verification is disabled in Kubernetes configurations

## Consequences

- Lecture des données de l'application
- Contourner le mécanisme de protection

## Mitigations

- Chiffrez toutes les données sensibles avant transmission
- Utilisez TLS/SSL pour toutes les connexions transmettant des données sensibles
- Mettez en place l'épinglage de certificats pour les applications mobiles

## Detection

- Total rules: 6
- Languages: go, kubernetes, yaml, python

## Rules by Language

### Yaml (2 rules)

- **Ingress Missing TLS Configuration** [HIGH]: Detects Kubernetes Ingress resources without TLS configuration.
  - Remediation: Configure TLS for Ingress resources.

```yaml
spec:
  tls:
  - hosts: [example.com]
    secretName: example-tls
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-319/ingress-missing-tls
- **Insecure TLS Verification Disabled** [HIGH]: Detects when TLS certificate verification is disabled in Kubernetes configurations.
  - Remediation: Remove the insecure TLS skip setting and use proper certificate verification.

### Kubernetes (1 rules)

- **Ingress Missing TLS Configuration** [HIGH]: Detects Kubernetes Ingress resources without TLS configuration.
  - Remediation: Configure TLS for Ingress resources.

```yaml
spec:
  tls:
  - hosts: [example.com]
    secretName: example-tls
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-319/ingress-missing-tls