CAPEC-217: Exploiting Incorrectly Configured SSL/TLS
ID
CAPEC-217
Likelihood Of Attack
Low
Status
Draft
An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.
SSL/TLS communications become vulnerable to this attack when they use outdated versions and insecure ciphers. Currently, all SSL versions are deprecated and TLS versions 1.0 and 1.1 are also deprecated due to being insecure. It is still possible for later versions of TLS to be insecure if they are configured with insecure ciphers such as 3DES or RC4.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-201 | Insertion of Sensitive Information Into Sent Data | weakness |