Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Usage of insecure message digest algorithm (MD5) #56

Open
akwick opened this issue Apr 27, 2022 · 0 comments
Open

Usage of insecure message digest algorithm (MD5) #56

akwick opened this issue Apr 27, 2022 · 0 comments

Comments

@akwick
Copy link

akwick commented Apr 27, 2022

I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses. One of the misuses for which we could confirm the finding of the analysis, CogniCryptSAST, is one in your project:

  • PluggableParameterOperatorDigest uses MD5 as a parameter to java.security.MessageDigest. By now, it is possible to have collisions with MD5 and are not considered secure any longer. Therefore, one should not use MD5 anymore in a security context like password storage, token generation, or computation integrity. This misuse is also considered problematic by industry tools like SonarSource.

We hope that this information helps you and to hear back from you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant