CWE-1204: Generation of Weak Initialization Vector (IV)

BaseIncomplete

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.

View on MITRE
Back to CWE Lookup

Extended Description

By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-1204: Generation of Weak Initialization Vector (IV)?+

CWE-1204: Generation of Weak Initialization Vector (IV) is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive. By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.

What are the security consequences of Generation of Weak Initialization Vector (IV)?+

If exploited, CWE-1204 (Generation of Weak Initialization Vector (IV)) it can compromise Confidentiality, leading to outcomes such as Read Application Data.

Which programming languages are affected by Generation of Weak Initialization Vector (IV)?+

CWE-1204 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Generation of Weak Initialization Vector (IV)?+

MITRE documents real CVEs mapped to CWE-1204, including CVE-2020-1472, CVE-2011-3389, CVE-2001-0161, CVE-2001-0160 and CVE-2017-3225. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1204 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-1204: Generation of Weak Initialization Vector (IV) | CWE Lookup | InventiveHQ