java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding
Community Favorite

Author
50,751
Download Count*
License
Using RSA without OAEP mode weakens the encryption.
Run Locally
Run in CI
Defintion
rules:
- id: rsa-no-padding
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING
references:
- https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
asvs:
section: V6 Stored Cryptography Verification Requirements
control_id: 6.2.5 Insecure Algorithm
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
version: "4"
category: security
technology:
- java
- kotlin
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
message: Using RSA without OAEP mode weakens the encryption.
severity: WARNING
languages:
- java
- kt
pattern: $CIPHER.getInstance("=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/")
Examples
rsa-no-padding.java
class RSAPadding {
public void rsaNoPadding() {
// ruleid: rsa-no-padding
Cipher.getInstance("RSA/NONE/NoPadding");
}
public void rsaNoPadding2() {
// ruleid: rsa-no-padding
useCipher(Cipher.getInstance("RSA/None/NoPadding"));
}
public void rsaPadding() {
// ok: rsa-no-padding
Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding");
}
}
Short Link: https://sg.run/DoOj