Thibaut SAUTEREAU created JAMES-2240:
----------------------------------------
Summary: Use of MD5 for checksum to index email body
Key: JAMES-2240
URL: https://issues.apache.org/jira/browse/JAMES-2240
Project: James Server
Issue Type: Bug
Components: James Core
Affects Versions: master
Reporter: Thibaut SAUTEREAU
In the MBoxMailRepository class, the generateKeyValue() function uses MD5 to
compute a key, which is supposed to be unique in order to then index every
single email body.
However, MD5 is vulnerable to lots of collisions and an attacker could manage
to replace (understand "overwrite") an existing indexed email body by another
one, leading to many potential abuses.
A more cryptographically secure hash function such as SHA-256 or SHA-512 should
be used instead.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
