Potential CWE-327

[OleksandrShkurat]

Hello guys.
Time-to-time we perform a Veracode security scan of our project compiled artifacts.
In addition to our code analysis, it also checks used 3rd-party libraries as well.
The latest scan has identified several security issues related to pubnub-gson-6.4.1.jar
I would be grateful for your opinion on this.

Here is the list of findings:

CWE-327, Use of a Broken or Risky Cryptographic Algorithm (Medium severity):

• com.pubnub.api.crypto.cryptor.AesCbcCryptor.kt:91
• com.pubnub.api.crypto.cryptor.LegacyCryptor.kt:203

Looks like both lines instantiate the class IvParameterSpec which is considered unsafe.

I would be glad to know what you think of it.

Thank you in advance.