CVE-2005-2946 — Use of a Broken or Risky Cryptographic Algorithm in Openssl

CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-1240 — Use of a Cryptographic Primitive with a Risky Implementation9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 59.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Canonical Ubuntu Linux

Timeline

PublishedSep 16

Latest updateMay 1

Description

The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/openssl< openssl 0.9.8-1 (bookworm)

▶NVDopenssl/openssl< 0.9.8

▶Debianopenssl/openssl< 0.9.8-1+3

Also affects: Ubuntu Linux 4.10, 5.04

🔴Vulnerability Details

GHSA

GHSA-frvr-h7xx-w54m: The default configuration on OpenSSL before 0↗2022-05-01

▶

OSV

CVE-2005-2946: The default configuration on OpenSSL before 0↗2005-09-16

▶

📋Vendor Advisories

Cisco

OpenSSL Version Rollback and Weak Cryptographic Algorithm Vulnerabilities↗2005-10-12

▶

Debian

CVE-2005-2946: openssl - The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message ...↗2005

▶

Red Hat

CVE-2005-2946: The default configuration on OpenSSL before 0↗

▶

📐Framework References

CWE

Use of a Cryptographic Primitive with a Risky Implementation↗

▶

CWE

Use of a Broken or Risky Cryptographic Algorithm↗

▶

💬Community

Bugzilla

CVE-2005-2946 openssl insecure default message digest↗2005-10-03

▶