nntplib — cleartext

Cleartext Transmission of Sensitive Information in the nntplib Module

The Python module nntplib provides a number of functions for accessing NNTP servers. However, the default behavior of the module does not provide utilize secure connections. This means that data transmitted over the network, including passwords, is sent in cleartext. This makes it possible for attackers to intercept and read this data.

The Python module nntplib should only in a secure mannner to protect sensitive data when accessing NNTP servers.

Example

import nntplib


with nntplib.NNTP("news.gmane.io") as n:
    n.login("user", "password")
    n.group("gmane.comp.python.committers")

Example Output

> precli tests/unit/rules/python/stdlib/nntplib/examples/nntplib_nntp_context_mgr.py
⛔️ Error on line 5 in tests/unit/rules/python/stdlib/nntplib/examples/nntplib_nntp_context_mgr.py
PY012: Cleartext Transmission of Sensitive Information
The 'nntplib.NNTP.login' function will transmit authentication information such as a user, password  in cleartext.

Remediation

If the NNTP protocol must be used and sensitive data will be transferred, it is recommended to secure the connection using NNTP_SSL class. Alternatively, the starttls function can be used to enter a secure session.

import nntplib


with nntplib.NNTP_SSL('news.gmane.io') as n:
    n.login("user", "password")
    n.group('gmane.comp.python.committers')

Default Configuration

enabled = true
level = "error"

See also

Info

• nntplib — NNTP protocol client
• CWE-319: Cleartext Transmission of Sensitive Information

New in version 0.1.9