SYM_PHP_0023 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Generation of Predictable IV with CBC Mode
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-329: Generation of Predictable IV with CBC Mode |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
The code uses a static (hardcoded) initialization vector (IV) with AES encryption in CBC mode. This makes the encrypted data predictable and vulnerable to certain attacks, as the same IV is reused for multiple encryptions.
Impact
An attacker could exploit this to uncover patterns in the encrypted data or conduct chosen-plaintext attacks, potentially leading to sensitive information being exposed even if the encryption key remains secret. This weakens the overall security of the application and puts user data at risk.