...
The available encodings are listed in the Supported Encodings document [Encodings 2014]. In the absence of an explicitly specified encoding, conversions use the system default encoding. Compatible encodings must be used when characters are output as an array of bytes then input by another JVM and subsequently converted back to characters.
According to the Java API API [API 2014] for the String class:
...
Sound automated detection of this vulnerability is not feasible.
Bibliography
| [API 2014] | |
| [Seacord 2015] |
|
...