CWE-319 Cleartext Transmission of Sensitive Information

Description

Cleartext Transmission of Sensitive Information

Reference: https://cwe.mitre.org/data/definitions/319.html

OWASP Category: A02:2021 – Cryptographic Failures

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: HTTP instead of HTTPS
URL url = new URL("http://api.example.com/users");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();

// VULNERABLE: Plain socket
Socket socket = new Socket("server.com", 80);
OutputStream out = socket.getOutputStream();
out.write(sensitiveData.getBytes());

Why it's vulnerable: This pattern is vulnerable to Cleartext Transmission of Sensitive Information

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use HTTPS
URL url = new URL("https://api.example.com/users");
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();

// SECURE: Use SSL socket
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket("server.com", 443);

// Enable strict hostname verification
conn.setHostnameVerifier((hostname, session) -> {
    HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
    return hv.verify(hostname, session);
});

Why it's secure: Implements proper protection against Cleartext Transmission of Sensitive Information

---

Detection Pattern

Look for these patterns in your codebase:

# Find HTTP URLs
grep -rn "http://" --include="*.java" | grep -v "https"

# Find plain sockets
grep -rn "new Socket(" --include="*.java"

---

Remediation Steps

1. Replace all HTTP URLs with HTTPS

2. Use SSLSocket instead of plain Socket

3. Configure proper TLS versions (TLS 1.2+)

4. Enable hostname verification

---

Key Imports

import javax.net.ssl.SSLSocketFactory;

import javax.net.ssl.HttpsURLConnection;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-319 vulnerability
Resolve Cleartext Transmission of Sensitive Information issue
Secure this Java code against cleartext transmission of sensitive information
SAST reports CWE-319

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-319: Cleartext Transmission

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07