Use of weak hash
Description
The MD5 hashing algorithm is considered cryptographically weak and vulnerable to collision attacks, where two different inputs generate the same output hash. When used for hashing sensitive data, attackers can exploit this weakness to generate collisions, allowing them to bypass security checks or masquerade malicious data as legitimate.
Examples
Insecure Code
ruby
Digest::MD5.hexdigest "sensitive information"Secure Code
ruby
OpenSSL::Digest::SHA256.new.hexdigest "sensitive information"Remediation
Replace the MD5 hashing algorithm with stronger cryptographic hash functions, such as SHA-256 or SHA-3.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0521 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-328 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | hashing, cryptographic weakness |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |
References
- https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/weak-hashes-md5.yaml