AES Algorithm Used Without Initialization Vector

Description

The AES algorithm requires an initialization vector (IV). Providing no or null IV in some implementations results in a 0 IV. Use of a deterministic IV makes dictionary attacks easier.

Examples

Insecure Code

javascript

const cipher = crypto.createCipheriv('aes-256-cbc', key, '');

Secure Code

javascript

const iv = crypto.randomBytes(16); const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);

Remediation

Provide a secure initialization vector when creating an AES cipher.

Rule Details

Field	Value
ID	CODE-0351
Category	Crypto
Severity	MEDIUM
CWE	CWE-327
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	AES, Initialization Vector, Cryptographic Failures
OWASP	A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

AES Algorithm Used Without Initialization Vector

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

AES Algorithm Used Without Initialization Vector ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

AES Algorithm Used Without Initialization Vector

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details