python.cryptography.security.empty-aes-key.empty-aes-key
semgrep
Author
unknown
Download Count*
License
Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.
Run Locally
Run in CI
Defintion
rules:
- id: empty-aes-key
message: Potential empty AES encryption key. Using an empty key in AES
encryption can result in weak encryption and may allow attackers to easily
decrypt sensitive data. Ensure that a strong, non-empty key is used for
AES encryption.
patterns:
- pattern: AES.new("",...)
languages:
- python
severity: WARNING
metadata:
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
- "CWE-310: Cryptographic Issues"
references:
- https://cwe.mitre.org/data/definitions/327.html
- https://cwe.mitre.org/data/definitions/310.html
category: security
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
owasp: A6:2017 misconfiguration
functional-categories:
- crypto::search::key-length::pycrypto
- crypto::search::key-length::pycryptodome
technology:
- python
- pycrypto
- pycryptodome
vulnerability_class:
- Cryptographic Issues
Examples
empty-aes-key.py
from Crypto.Ciphers import AES
def bad1():
# ruleid: empty-aes-key
cipher = AES.new("", AES.MODE_CFB, iv)
msg = iv + cipher.encrypt(b'Attack at dawn')
def ok1(key):
# ok: empty-aes-key
cipher = AES.new(key, AES.MODE_EAX, nonce=nonce)
plaintext = cipher.decrypt(ciphertext)
Short Link: https://sg.run/zQ9G