CVE-2004-2761
Vulnerability from cvelistv5
Published
2009-01-05 20:00
Modified
2024-08-08 01:36
Severity ?
Summary
The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate.
References
cve@mitre.orghttp://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/
cve@mitre.orghttp://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx
cve@mitre.orghttp://secunia.com/advisories/33826
cve@mitre.orghttp://secunia.com/advisories/34281
cve@mitre.orghttp://secunia.com/advisories/42181
cve@mitre.orghttp://securityreason.com/securityalert/4866
cve@mitre.orghttp://securitytracker.com/id?1024697
cve@mitre.orghttp://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html
cve@mitre.orghttp://www.doxpara.com/research/md5/md5_someday.pdf
cve@mitre.orghttp://www.kb.cert.org/vuls/id/836068Third Party Advisory, US Government Resource
cve@mitre.orghttp://www.microsoft.com/technet/security/advisory/961509.mspxMitigation, Patch, Vendor Advisory
cve@mitre.orghttp://www.phreedom.org/research/rogue-ca/
cve@mitre.orghttp://www.securityfocus.com/archive/1/499685/100/0/threaded
cve@mitre.orghttp://www.securityfocus.com/bid/33065
cve@mitre.orghttp://www.ubuntu.com/usn/usn-740-1
cve@mitre.orghttp://www.win.tue.nl/hashclash/SoftIntCodeSign/
cve@mitre.orghttp://www.win.tue.nl/hashclash/rogue-ca/
cve@mitre.orghttps://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php
cve@mitre.orghttps://bugzilla.redhat.com/show_bug.cgi?id=648886Issue Tracking
cve@mitre.orghttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935
cve@mitre.orghttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888
cve@mitre.orghttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
cve@mitre.orghttps://rhn.redhat.com/errata/RHSA-2010-0837.html
cve@mitre.orghttps://rhn.redhat.com/errata/RHSA-2010-0838.html
cve@mitre.orghttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03814en_us
cve@mitre.orghttps://www.redhat.com/archives/fedora-package-announce/2009-February/msg00096.html
af854a3a-2127-422b-91ae-364da2661108http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/
af854a3a-2127-422b-91ae-364da2661108http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/33826
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/34281
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/42181
af854a3a-2127-422b-91ae-364da2661108http://securityreason.com/securityalert/4866
af854a3a-2127-422b-91ae-364da2661108http://securitytracker.com/id?1024697
af854a3a-2127-422b-91ae-364da2661108http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html
af854a3a-2127-422b-91ae-364da2661108http://www.doxpara.com/research/md5/md5_someday.pdf
af854a3a-2127-422b-91ae-364da2661108http://www.kb.cert.org/vuls/id/836068Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108http://www.microsoft.com/technet/security/advisory/961509.mspxMitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.phreedom.org/research/rogue-ca/
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/archive/1/499685/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/33065
af854a3a-2127-422b-91ae-364da2661108http://www.ubuntu.com/usn/usn-740-1
af854a3a-2127-422b-91ae-364da2661108http://www.win.tue.nl/hashclash/SoftIntCodeSign/
af854a3a-2127-422b-91ae-364da2661108http://www.win.tue.nl/hashclash/rogue-ca/
af854a3a-2127-422b-91ae-364da2661108https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=648886Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935
af854a3a-2127-422b-91ae-364da2661108https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888
af854a3a-2127-422b-91ae-364da2661108https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
af854a3a-2127-422b-91ae-364da2661108https://rhn.redhat.com/errata/RHSA-2010-0837.html
af854a3a-2127-422b-91ae-364da2661108https://rhn.redhat.com/errata/RHSA-2010-0838.html
af854a3a-2127-422b-91ae-364da2661108https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03814en_us
af854a3a-2127-422b-91ae-364da2661108https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00096.html
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-08T01:36:25.448Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "33065",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/33065"
          },
          {
            "name": "RHSA-2010:0837",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://rhn.redhat.com/errata/RHSA-2010-0837.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.phreedom.org/research/rogue-ca/"
          },
          {
            "name": "VU#836068",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/836068"
          },
          {
            "name": "4866",
            "tags": [
              "third-party-advisory",
              "x_refsource_SREASON",
              "x_transferred"
            ],
            "url": "http://securityreason.com/securityalert/4866"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/"
          },
          {
            "name": "20090115 MD5 Hashes May Allow for Certificate Spoofing",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.win.tue.nl/hashclash/SoftIntCodeSign/"
          },
          {
            "name": "33826",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/33826"
          },
          {
            "name": "34281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/34281"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.microsoft.com/technet/security/advisory/961509.mspx"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03814en_us"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.doxpara.com/research/md5/md5_someday.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"
          },
          {
            "name": "RHSA-2010:0838",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://rhn.redhat.com/errata/RHSA-2010-0838.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php"
          },
          {
            "name": "USN-740-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/usn-740-1"
          },
          {
            "name": "1024697",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://securitytracker.com/id?1024697"
          },
          {
            "name": "FEDORA-2009-1276",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00096.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888"
          },
          {
            "name": "20081230 MD5 Considered Harmful Today: Creating a rogue CA certificate",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/499685/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935"
          },
          {
            "name": "42181",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42181"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.win.tue.nl/hashclash/rogue-ca/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=648886"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2004-08-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-19T14:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "33065",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/33065"
        },
        {
          "name": "RHSA-2010:0837",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://rhn.redhat.com/errata/RHSA-2010-0837.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.phreedom.org/research/rogue-ca/"
        },
        {
          "name": "VU#836068",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "http://www.kb.cert.org/vuls/id/836068"
        },
        {
          "name": "4866",
          "tags": [
            "third-party-advisory",
            "x_refsource_SREASON"
          ],
          "url": "http://securityreason.com/securityalert/4866"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/"
        },
        {
          "name": "20090115 MD5 Hashes May Allow for Certificate Spoofing",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.win.tue.nl/hashclash/SoftIntCodeSign/"
        },
        {
          "name": "33826",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/33826"
        },
        {
          "name": "34281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/34281"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.microsoft.com/technet/security/advisory/961509.mspx"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03814en_us"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.doxpara.com/research/md5/md5_someday.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"
        },
        {
          "name": "RHSA-2010:0838",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://rhn.redhat.com/errata/RHSA-2010-0838.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php"
        },
        {
          "name": "USN-740-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/usn-740-1"
        },
        {
          "name": "1024697",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://securitytracker.com/id?1024697"
        },
        {
          "name": "FEDORA-2009-1276",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00096.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888"
        },
        {
          "name": "20081230 MD5 Considered Harmful Today: Creating a rogue CA certificate",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/499685/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935"
        },
        {
          "name": "42181",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42181"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.win.tue.nl/hashclash/rogue-ca/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=648886"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2004-2761",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "33065",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/33065"
            },
            {
              "name": "RHSA-2010:0837",
              "refsource": "REDHAT",
              "url": "https://rhn.redhat.com/errata/RHSA-2010-0837.html"
            },
            {
              "name": "http://www.phreedom.org/research/rogue-ca/",
              "refsource": "MISC",
              "url": "http://www.phreedom.org/research/rogue-ca/"
            },
            {
              "name": "VU#836068",
              "refsource": "CERT-VN",
              "url": "http://www.kb.cert.org/vuls/id/836068"
            },
            {
              "name": "4866",
              "refsource": "SREASON",
              "url": "http://securityreason.com/securityalert/4866"
            },
            {
              "name": "http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/",
              "refsource": "MISC",
              "url": "http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/"
            },
            {
              "name": "20090115 MD5 Hashes May Allow for Certificate Spoofing",
              "refsource": "CISCO",
              "url": "http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html"
            },
            {
              "name": "http://www.win.tue.nl/hashclash/SoftIntCodeSign/",
              "refsource": "MISC",
              "url": "http://www.win.tue.nl/hashclash/SoftIntCodeSign/"
            },
            {
              "name": "33826",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/33826"
            },
            {
              "name": "34281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/34281"
            },
            {
              "name": "http://www.microsoft.com/technet/security/advisory/961509.mspx",
              "refsource": "MISC",
              "url": "http://www.microsoft.com/technet/security/advisory/961509.mspx"
            },
            {
              "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03814en_us",
              "refsource": "CONFIRM",
              "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03814en_us"
            },
            {
              "name": "http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx",
              "refsource": "MISC",
              "url": "http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx"
            },
            {
              "name": "http://www.doxpara.com/research/md5/md5_someday.pdf",
              "refsource": "MISC",
              "url": "http://www.doxpara.com/research/md5/md5_someday.pdf"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"
            },
            {
              "name": "RHSA-2010:0838",
              "refsource": "REDHAT",
              "url": "https://rhn.redhat.com/errata/RHSA-2010-0838.html"
            },
            {
              "name": "https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php",
              "refsource": "MISC",
              "url": "https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php"
            },
            {
              "name": "USN-740-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/usn-740-1"
            },
            {
              "name": "1024697",
              "refsource": "SECTRACK",
              "url": "http://securitytracker.com/id?1024697"
            },
            {
              "name": "FEDORA-2009-1276",
              "refsource": "FEDORA",
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00096.html"
            },
            {
              "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888",
              "refsource": "CONFIRM",
              "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888"
            },
            {
              "name": "20081230 MD5 Considered Harmful Today: Creating a rogue CA certificate",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/499685/100/0/threaded"
            },
            {
              "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935",
              "refsource": "CONFIRM",
              "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935"
            },
            {
              "name": "42181",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/42181"
            },
            {
              "name": "http://www.win.tue.nl/hashclash/rogue-ca/",
              "refsource": "MISC",
              "url": "http://www.win.tue.nl/hashclash/rogue-ca/"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=648886",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=648886"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2004-2761",
    "datePublished": "2009-01-05T20:00:00",
    "dateReserved": "2009-01-05T00:00:00",
    "dateUpdated": "2024-08-08T01:36:25.448Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2004-2761\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2009-01-05T20:30:02.140\",\"lastModified\":\"2024-11-20T23:54:09.503\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate.\"},{\"lang\":\"es\",\"value\":\"El algoritmo MD5 Message-Digest no resistente a colisi\u00f3n, el cual hace m\u00e1s f\u00e1cil para atacantes dependientes de contexto, llevar a cabo ataques de suplantaci\u00f3n, como lo demuestran los ataques de utilizaci\u00f3n de MD5 en la firma del algoritmo de un certificado X.509.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ietf:md5:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5DFFBAC4-D50D-4CC4-A12C-9708D3C1199C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:ietf:x.509_certificate:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3009C5D9-9EF8-43B2-BF17-DEBC497994B5\"}]}]}],\"references\":[{\"url\":\"http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/33826\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/34281\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/42181\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securityreason.com/securityalert/4866\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securitytracker.com/id?1024697\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.doxpara.com/research/md5/md5_someday.pdf\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.kb.cert.org/vuls/id/836068\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.microsoft.com/technet/security/advisory/961509.mspx\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.phreedom.org/research/rogue-ca/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/499685/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/33065\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.ubuntu.com/usn/usn-740-1\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.win.tue.nl/hashclash/SoftIntCodeSign/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.win.tue.nl/hashclash/rogue-ca/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=648886\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://rhn.redhat.com/errata/RHSA-2010-0837.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://rhn.redhat.com/errata/RHSA-2010-0838.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03814en_us\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00096.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/33826\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/34281\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/42181\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securityreason.com/securityalert/4866\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securitytracker.com/id?1024697\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.doxpara.com/research/md5/md5_someday.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.kb.cert.org/vuls/id/836068\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.microsoft.com/technet/security/advisory/961509.mspx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.phreedom.org/research/rogue-ca/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/499685/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/33065\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/usn-740-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.win.tue.nl/hashclash/SoftIntCodeSign/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.win.tue.nl/hashclash/rogue-ca/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=648886\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://rhn.redhat.com/errata/RHSA-2010-0837.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://rhn.redhat.com/errata/RHSA-2010-0838.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03814en_us\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00096.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"evaluatorImpact\":\"There are four significant mitigating factors.\\n\\n1) Most enterprise-class certificates, such as VeriSign\u2019s Extended Validation SSL Certificates use the still secure SHA-1 hash function. \\n\\n2) Certificates already issued with MD5 signatures are not at risk.  The exploit only affects new certificate acquisitions. \\n\\n3) CAs are quickly moving to replace MD5 with SHA-1.  For example, VeriSign was planning to phase out MD5 by the end of January 2009.  The date was pushed up due to the December proof of concept.  On December 31, 2008, RapidSSL certificates shipped with SHA-1 digital signatures. \\n\\n4)The researchers did not release the under-the-hood specifics of how the exploit was executed. \\n\\nSource - http://www.techrepublic.com/blog/it-security/the-new-md5-ssl-exploit-is-not-the-end-of-civilization-as-we-know-it/?tag=nl.e036\",\"vendorComments\":[{\"organization\":\"Red Hat\",\"comment\":\"Please see http://kbase.redhat.com/faq/docs/DOC-15379\",\"lastModified\":\"2009-01-07T00:00:00\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.