DerScanner
Home / Vulnerability Database / Java : Insecure initialization vector
Java

Java : Insecure initialization vector

Classification

OWASP Top 10 2013
A6-Sensitive Data Exposure
OWASP Top 10 2017
A3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure Design
OWASP MASVS
V8: 8.13.(L1+R/L2+R)
OWASP ASVS
Stored CryptographyStored Cryptography
PCI DSS 4.0
3.6.16.2.48.3.2
HIPAA
§164.312 (a)(2)(iv)
CWE
CWE-329CWE-1032

Overview

The application performs encryption with the initialization vector (IV) and coincides encryption keys. For secure encryption it is necessary that IV be cryptographically pseudo-random, that is unpredictable for the attacker.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

  1. CWE-329: Not Using a Random IV with CBC Mode
  2. Initialization vector - Wikipedia
  3. Forced into using a static IV (AES) - security.stackexchange.com
  4. Why should I use an Initialization Vector (IV) when I have unique keys? - crypto.stackexchange.com
  5. OWASP Top 10 2017-A3-Sensitive Data Exposure
  6. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
  7. Bleichenbacher’s attack
MEDIUM

DerScanner Severity Score

Do you want to fix Java : Insecure initialization vector in your application?

See also

Java

Java : Race condition

Java

Java : Text4Shell Vulnerability

Java

Java : JNI usage