Insecure use of (Use of weak algorithms: DES, Blowfish, RC2, IDEA) in symmetricAlgTest.java

[A-Amyan]

We are a German research group investigating the misuse of cryptographic APIs.
We found vulnerabilities in symmetricAlgTest.java at line {72}, which can lead to an attack (e.g., Exhaustive key search (brute-force attack), Differential cryptanalysis, Linear cryptanalysis, Meet-in-the-middle attack, Slide attack, Related-key attack, Biclique attack, Weak/sem-weak key exploitation).

This is our result:

    "explanation": "This call appears inside the getAlgMode method. The ALGORITHM parameter is built from elements of the ALG_b, ALG_MODE, and ALG_PADDING arrays (e.g. 'AES', 'CBC', 'PKCS5Padding'). It is a direct call to the Cipher.getInstance API, initializing a Cipher instance with the given transformation.",
    "cryptographicObjectType": "Cipher",
    "codeSnippet": "public static Boolean getAlgMode(String ALGORITHM) {\n    try {\n        Cipher.getInstance(ALGORITHM);\n        return true;\n    } catch (NoSuchAlgorithmException e) {\n        return false;\n    } catch (NoSuchPaddingException e) {\n        return false;\n    }\n}",
    "vulnerabilityType": "Insecure",
    "correction": "The transformation string is built from static arrays that include weak algorithms (e.g., DES, Blowfish, RC2, IDEA) and insecure modes (such as ECB). Even though the string is computed at runtime, allowing such values may result in the instantiation of weak cipher configurations. To fix this, restrict the allowed values to only secure combinations\u2014for instance, remove weak algorithms from the ALG_b array and disallow ECB mode from ALG_MODE, favoring secure options like AES with GCM or CBC (with proper IV management) configuration.",