Insecure use of (Insecure cipher mode: ECB) in symmetricEncryption.java #21
Description
We are a German research group investigating the misuse of cryptographic APIs.
We found vulnerabilities in symmetricEncryption.java at lines {35, 49}, which can lead to an attack (e.g., Codebook attack (plaintext pattern analysis), Block replay/cut-and-paste attack).
This is our result:
"explanation": "Direct call to Cipher.getInstance within the encrypt method using the provided cipherInstance parameter.",
"cryptographicObjectType": "Cipher",
"codeSnippet": "Cipher cipher = Cipher.getInstance(cipherInstance);",
"vulnerabilityType": "Insecure",
"correction": "The transformation string 'AES/ECB/NoPadding' uses ECB mode, which is known to be insecure. Replace it with a secure mode such as CBC or GCM (for example, 'AES/CBC/PKCS5Padding' or 'AES/GCM/NoPadding') and, if needed, change the IV handling accordingly.",