A methid in the class DigestUtilsl takes string with the digest algorithm name.
The default algorithm name is sha-256 which is secure. Howver user can pass in an unsecure algorithm such as sha-1, or md5, and this might be un noticed by the tools.
Proposed solution:
Refactor to take MesageDigest object rather than the algo name.
Set the default to sha-256 as before.
Refactor call points to build and pass in MessageDigest rather than string.
This should attribute a volnerabilty to call point, and allow us to close this issue. Other scan alterts might be opened for call points which should be much easier to remidiate.
Problem:
Tracking issue for:
A methid in the class DigestUtilsl takes string with the digest algorithm name.
The default algorithm name is sha-256 which is secure. Howver user can pass in an unsecure algorithm such as sha-1, or md5, and this might be un noticed by the tools.
Proposed solution:
Refactor to take MesageDigest object rather than the algo name. Set the default to sha-256 as before. Refactor call points to build and pass in MessageDigest rather than string.
This should attribute a volnerabilty to call point, and allow us to close this issue. Other scan alterts might be opened for call points which should be much easier to remidiate.