CodeQL documentation

Weak encryption: inadequate RSA padding

ID: cs/inadequate-rsa-padding
Kind: problem
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-327
   - external/cwe/cwe-780
Query suites:
   - csharp-code-scanning.qls
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

This query finds uses of RSA encryption without secure padding. Using PKCS#1 v1.5 padding can open up your application to several different attacks resulting in the exposure of the encryption key or the ability to determine plaintext from encrypted messages.

Recommendation

Use the more secure PKCS#1 v2 (OAEP) padding.

References