The issue of Initialization Vector (IV) initialization.

[sy2339226]

In the getIvParam function, if the key is shorter, there may be an issue where the IV (initialization vector) is initialized as a constant. If the IV is initialized as a constant during the CBC encryption process, it can lead to identical plaintext blocks being encrypted into identical ciphertext blocks, thereby increasing the risk of chosen plaintext attacks and potentially causing the leakage of ciphertext information.

Furthermore, MD5 is a relatively outdated algorithm, and we recommend replacing it with more advanced algorithms such as SHA3 or SHA256.

"FuncName": "crypto/md5.New",
"SourceFilename": "github.com/Klevry/klevr/pkg/common/md5.go",
"SourceLineNum": 9,

---

"FuncName": "crypto/cipher.NewCBCEncrypter",
"SourceCode": "ecb := cipher.NewCBCEncrypter(block, getIvParam(key))",
"SourceFilename": "github.com/Klevry/klevr/pkg/common/encrypt.go",
"SourceLineNum": 32,

    "SourceCode": "func getIvParam(key string) []byte {
                            var param []byte = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
                        
                            b := []byte(key)
                            len := len(b)
                        
                            for i := 0; i < 16 && i < len; i++ {
	                            param[i] = b[i]
                            }
                        
                            return param
                        }",
    "SourceFilename": "github.com/Klevry/klevr/pkg/common/encrypt.go",
    "SourceLineNum": 169