[JAVA-4014] Usage of broken hash algorithm detected Created: 12/Feb/21 Updated: 12/Feb/21 Resolved: 12/Feb/21 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Mahir Kabir | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
In file https://github.com/musasesay/mongo-java-driver/blob/033f4a7a0b369a641bf1e81352ee37b102c8ae4f/driver/src/main/com/mongodb/client/gridfs/GridFSUploadStreamImpl.java (at Line 59) "md5" algorithm has been used. Security Impact: The MD5 Message-Digest Algorithm is not collision-resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks Useful Resources: https://www.cvedetails.com/cve/CVE-2004-2761/ Solution we suggest: Use Sha >= 256 algorithms instead Please share with us your opinions/comments if there is any: Is the bug report helpful? |
| Comments |
| Comment by Ross Lawley [ 12/Feb/21 ] |
|
Please note the repository listed is an old outdated clone of the official repository. See: https://github.com/mongodb/mongo-java-driver/ |
| Comment by Ross Lawley [ 12/Feb/21 ] |
|
Originally MD5 was used as a checksum of the files content, in Then in the 4.0 driver MD5 usage was removed - see All the best, Ross |