Property
Language	java
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

The use of NullCipher means that data is not actually encrypted—ciphertext is identical to the original plaintext. This leaves sensitive information exposed and defeats the purpose of using encryption.

Impact

If NullCipher is used, confidential data such as passwords or personal information can be easily read by anyone with access to the data stream or storage. Attackers can intercept, view, or modify data with no cryptographic protection, leading to data breaches and compliance violations.

Property
Language	java
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

The code is using the Blowfish encryption algorithm, which relies on a small 64-bit block size and is now considered insecure. Attackers can exploit weaknesses in Blowfish to compromise encrypted data.

Impact

If exploited, sensitive information encrypted with Blowfish could be decrypted or tampered with by attackers, leading to data breaches, unauthorized access, or loss of data integrity. This puts user confidentiality and the application’s security at significant risk.

Property
Language	java
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

The code uses the ECB (Electronic Codebook) mode for encryption, which always produces the same encrypted output for identical input data. This makes it easy for attackers to spot patterns and potentially reveal sensitive information.

Impact

If exploited, attackers can analyze encrypted data to deduce original values, especially repeated or predictable information, leading to exposure of confidential data. This could result in leaks of personal, financial, or business-critical information and increase the risk of data breaches.

Property
Language	java
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

The code uses AES encryption without specifying a mode or padding, which defaults to ECB mode in Java. ECB mode is insecure because it doesn’t properly protect the structure of encrypted data, making sensitive information easier to reveal.

Property
Language	java
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Implementing your own cryptographic message digest (hash) algorithms is risky because it’s easy to introduce subtle flaws that weaken security. Instead, always use well-tested, standard library implementations like SHA-256.

Impact

If a custom message digest contains mistakes, attackers could break the hash, forge data, or access sensitive information. This can lead to data breaches, loss of integrity, and compromise of authentication or encryption features in your application.

Property
Language	java
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code is creating JWT tokens with the ’none’ algorithm, which means the tokens are not cryptographically signed. This allows anyone to forge or modify tokens without detection, making authentication insecure.

Impact

If exploited, attackers can generate or alter JWT tokens to impersonate users or escalate privileges, bypassing authentication. This can lead to unauthorized access to sensitive data or critical actions in your application.

Property
Language	java
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

Using the ’none’ algorithm when signing JWT tokens means the token is not actually signed or verified, allowing anyone to create or modify tokens without detection. This practice leaves your authentication or authorization system open to forgery.

Impact

If exploited, attackers can generate fake JWT tokens that will be accepted as valid by your application, potentially granting unauthorized access to sensitive data and functionality. This could lead to account takeover, privilege escalation, or full compromise of protected resources.

Property
Language
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

The code accepts JWT tokens using the ’none’ algorithm, which means tokens are not cryptographically verified for integrity or authenticity. This allows anyone to craft and use fake tokens that the application will accept as valid.

Impact

If exploited, an attacker can forge their own JWT tokens and gain unauthorized access to user accounts or sensitive functionality, bypass authentication, and compromise the security of the entire application. This can lead to data breaches and loss of trust.

Property
Language
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Medium
Likelihood Level	High

Description

The code is using the MD5 algorithm to hash passwords, which is insecure because MD5 is fast and vulnerable to modern cracking techniques. Instead, use a stronger password hashing function like bcrypt to better protect user credentials.

Impact

If MD5 is used for password hashing, attackers can easily crack password hashes and gain unauthorized access to user accounts. This can lead to data breaches, account takeovers, and significant reputational or legal damage to the organization.

Property
Language
Severity
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

Detected use of the ’none’ algorithm in a JWT token. The ’none’ algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the ’none’ algorithm. Instead, use an algorithm such as ‘HS256’.