CVE-2005-4900
5.9 MEDIUMSHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by a...
Published: 2016-10-14 · Last updated: 2026-05-06
Severity and scoring
- CVSS
- 5.9 MEDIUM
- Vector
- CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-326
Affected products
| Vendor | Product |
|---|---|
| chrome |
Description
SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2005-4900
- [Other]http://ia.cr/2007/474
- [Other]http://shattered.io/
- [Other]http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1
- [Other]http://www.securityfocus.com/bid/12577
- [Other]https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
- [Other]https://kc.mcafee.com/corporate/index?page=content&id=SB10340
- [Other]https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html
- [Other]https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
- [Other]https://sites.google.com/site/itstheshappening
- [Other]https://www.schneier.com/blog/archives/2005/02/sha1_broken.html
- [Other]https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html
- [Other]http://ia.cr/2007/474
- [Other]http://shattered.io/
- [Other]http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1
- [Other]http://www.securityfocus.com/bid/12577
- [Other]https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
- [Other]https://kc.mcafee.com/corporate/index?page=content&id=SB10340
- [Other]https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html
- [Other]https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
- [Other]https://sites.google.com/site/itstheshappening
- [Other]https://www.schneier.com/blog/archives/2005/02/sha1_broken.html
- [Other]https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html
Related CVEs
Same vendor
- CVE-2026-12035 — Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corrupt... (8.8 HIGH)
- CVE-2026-12034 — Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote at... (8.3 HIGH)
- CVE-2026-12033 — Out of bounds read in VideoCapture in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the GPU process... (5.3 MEDIUM)
- CVE-2026-12032 — Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromis... (3.1 LOW)
- CVE-2026-12031 — Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised t... (8.3 HIGH)
Same CWE
- CVE-2026-41860 — CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM (8.8 HIGH)
- CVE-2026-8878 — Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensiti... (7.5 HIGH)
- CVE-2026-45787 — electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client (9.1 CRITICAL)
- CVE-2026-5363 — Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation (8.8 HIGH)
- CVE-2024-28755 — An issue was discovered in Mbed TLS 3.5.x before 3.6.0 (6.5 MEDIUM)