python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb
Verifed by r2c
Community Favorite

Author
99,223
Download Count*
License
Detected ECB cipher mode which is considered insecure. The algorithm can potentially leak information about the plaintext. Use CBC mode instead.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-cipher-mode-ecb
pattern: cryptography.hazmat.primitives.ciphers.modes.ECB(...)
message: Detected ECB cipher mode which is considered insecure. The algorithm
can potentially leak information about the plaintext. Use CBC mode
instead.
metadata:
source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L101
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
bandit-code: B305
references:
- https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption
category: security
technology:
- cryptography
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
severity: WARNING
languages:
- python
Examples
insecure-cipher-mode-ecb.py
# cf. https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/examples/cipher-modes.py
from cryptography.hazmat.primitives.ciphers.modes import CBC
from cryptography.hazmat.primitives.ciphers.modes import ECB
# Insecure mode
# ruleid: insecure-cipher-mode-ecb
mode = ECB(iv)
# Secure cipher and mode
# ok: insecure-cipher-mode-ecb
cipher = AES.new(key, blockalgo.MODE_CTR, iv)
# Secure mode
# ok: insecure-cipher-mode-ecb
mode = CBC(iv)
Short Link: https://sg.run/4xr5