CVE-2005-4900Inadequate Encryption Strength in Sylabs SIF V2

CWE-326Inadequate Encryption StrengthCWE-327Use of a Broken or Risky Cryptographic AlgorithmCWE-347Improper Verification of Cryptographic SignatureCWE-328Use of Weak HashCWE-20Improper Input Validation13 documents9 sources
Severity
5.9MEDIUMNVD
GHSA5.0OSV5.0
EPSS
0.2%
top 55.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
GradleGithub.com Sylabs SIF V2Debian Gradle+1 more
Timeline
PublishedOct 14
Latest updateOct 6

Description

SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

NVDgradle/gradle< 6.0
debiandebian/gradle< gradle 4.4.1-18 (bookworm)
Debiangradle/gradle< 4.4.1-18+2
NVDgoogle/chrome47.0.2526.111

🔴Vulnerability Details

6
GHSA
SIF's Digital Signature Hash Algorithms Not Validated2022-10-06
OSV
SIF's Digital Signature Hash Algorithms Not Validated2022-10-06
GHSA
Use of a weak cryptographic algorithm in Gradle2022-05-24
OSV
Use of a weak cryptographic algorithm in Gradle2022-05-24
GHSA
GHSA-xj59-9qjv-fr54: SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the2022-05-01

📋Vendor Advisories

2
Red Hat
gradle: PGP signing plugin security bypass2019-09-16
Debian
CVE-2019-16370: gradle - The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which...2019

📐Framework References

2
CWE
Use of Weak Hash
CAPEC
Creating a Rogue Certification Authority Certificate

💬Community

1
Bugzilla
CVE-2019-16370 gradle: PGP signing plugin security bypass2019-10-07