java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils
returntocorpAuthor
unknown
Download Count*
License
Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-md5-digest-utils
message: Detected MD5 hash algorithm which is considered insecure. MD5 is not
collision resistant and is therefore not suitable as a cryptographic
signature. Use HMAC instead.
languages:
- java
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-328: Use of Weak Hash"
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5
category: security
technology:
- java
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
patterns:
- pattern: |
$DU.$GET_ALGO().digest(...)
- metavariable-pattern:
metavariable: $GET_ALGO
pattern: getMd5Digest
- metavariable-pattern:
metavariable: $DU
pattern: DigestUtils
- focus-metavariable: $GET_ALGO
fix: |
getSha512Digest
Examples
use-of-md5-digest-utils.java
import java.security.MessageDigest;
import org.apache.commons.codec.digest.DigestUtils;
public class Bad{
public byte[] bad1(String password) {
// ok: use-of-md5-digest-utils
MessageDigest md5Digest = MessageDigest.getInstance("MD5");
md5Digest.update(password.getBytes());
byte[] hashValue = md5Digest.digest();
return hashValue;
}
public byte[] bad2(String password) {
// ruleid: use-of-md5-digest-utils
byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes());
return hashValue;
}
public byte[] ok(String password) {
// ok: use-of-md5-digest-utils
byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes());
return hashValue;
}
}
Short Link: https://sg.run/AWL2