java.lang.security.audit.crypto.use-of-rc2.use-of-rc2
semgrepAuthor
unknown
Download Count*
License
Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-rc2
pattern: $CIPHER.getInstance("RC2")
metadata:
functional-categories:
- crypto::search::symmetric-algorithm::javax.crypto
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
category: security
technology:
- java
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
message: 'Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and
is therefore considered non-compliant. Instead, use a strong, secure
cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information.'
severity: WARNING
languages:
- java
Examples
use-of-rc2.java
class RC2{
public void useofRC2() {
// ruleid: use-of-rc2
Cipher.getInstance("RC2");
}
public void useofRC2b() {
// ruleid: use-of-rc2
useCipher(Cipher.getInstance("RC2"));
}
public void ok() {
// ok: use-of-rc2
Cipher.getInstance("AES/CBC/PKCS7PADDING");
}
}
Short Link: https://sg.run/EEvA