SYM_JAVA_0117 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Generation of Predictable IV with CBC Mode
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-329: Generation of Predictable IV with CBC Mode |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The code uses a fixed or hardcoded initialization vector (IV) for block cipher encryption instead of generating a new random IV for each operation. This means identical plaintexts will always produce identical ciphertexts, reducing encryption effectiveness.
Impact
Attackers could detect patterns in encrypted data, allowing them to infer sensitive information or potentially decrypt messages. This weakens overall data confidentiality and can expose user data, violating security standards and putting both users and the organization at risk.