Padding Oracle Vulnerability in CBC Mode with PKCS5Padding
Description
The use of CBC mode with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposes the difference between plaintext with invalid padding or valid padding.
Examples
Insecure Code
scala
val cipher = Cipher.getInstance("CBC/PKCS5Padding")Secure Code
scala
val cipher = Cipher.getInstance("GCM")Remediation
Use a secure encryption mode like GCM or EAX, or use a library that provides authenticated encryption.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0022 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-696 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | padding oracle, CBC, PKCS5Padding |
| OWASP | N/A |