# Cleartext Transmission of Sensitive Information (CWE-319) The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. **Stack:** Kubernetes - Prevalence: 높음 자주 악용됨 - Impact: 높음 5개의 높은 심각도 규칙 - Prevention: 문서화됨 6개의 수정 예시 **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description Many communication channels can be sniffed by attackers during data transmission. When sensitive data is transmitted without encryption, an attacker can intercept and read this information. Secure channels like TLS should be used to protect sensitive data in transit. ## Prevention ### Kubernetes Configure TLS on Ingress resources to encrypt traffic in transit Remove insecure-skip-tls-verify and use proper certificate verification with CA certificates ## Warning Signs - [HIGH] Ingress exposes HTTP traffic without TLS encryption - [HIGH] Kubernetes Ingress resources without TLS configuration - [HIGH] TLS certificate verification disabled (vulnerable to MITM attacks) - [HIGH] when TLS certificate verification is disabled in Kubernetes configurations ## Consequences - 애플리케이션 데이터 읽기 - 보호 메커니즘 우회 ## Mitigations - 모든 민감한 데이터는 전송 전에 암호화하세요 - 민감한 데이터를 전송하는 모든 연결에 TLS/SSL을 사용하세요 - 모바일 애플리케이션에는 인증서 피닝을 구현하세요 ## Detection - Total rules: 6 - Languages: go, kubernetes, yaml, python ## Rules by Language ### Yaml (2 rules) - **Ingress Missing TLS Configuration** [HIGH]: Detects Kubernetes Ingress resources without TLS configuration. - Remediation: Configure TLS for Ingress resources. ```yaml spec: tls: - hosts: [example.com] secretName: example-tls ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-319/ingress-missing-tls - **Insecure TLS Verification Disabled** [HIGH]: Detects when TLS certificate verification is disabled in Kubernetes configurations. - Remediation: Remove the insecure TLS skip setting and use proper certificate verification. ### Kubernetes (1 rules) - **Ingress Missing TLS Configuration** [HIGH]: Detects Kubernetes Ingress resources without TLS configuration. - Remediation: Configure TLS for Ingress resources. ```yaml spec: tls: - hosts: [example.com] secretName: example-tls ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-319/ingress-missing-tls