CVE-2024-55885
Beego Vulnerable to Collision Hazards of MD5 in Cache Key Filenames
In short
Beego web framework uses MD5 to generate cache filenames, which is cryptographically weak and vulnerable to collision attacks. This could allow attackers to manipulate cache data and potentially compromise application behavior.
Technical detail
Beego versions prior to 2.3.4 employ MD5 hashing for cache key filenames (CWE-327, CWE-328), enabling collision attacks where adversaries craft inputs that generate identical MD5 hashes, potentially overwriting or poisoning cached content. The attack vector requires influencing cache input data; impact includes cache manipulation and application logic bypass. Version 2.3.4 mitigates this by replacing MD5 with SHA256.
Summary generated and translated by AI from the official description.
beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with SHA256.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
beego · beegoWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →