Login Sign Up

CVE-2022-29930

8.7 HIGH
Authentication Bypass

📋 TL;DR

This CVE describes a critical vulnerability in JetBrains Ktor Native 2.0.0 where the SHA1 implementation returned the same hash value for all inputs, completely breaking cryptographic integrity. This affects any application using Ktor Native 2.0.0 for cryptographic operations, authentication, or data integrity verification. The vulnerability was fixed in version 2.0.1.

💻 Affected Systems

Products:
  • JetBrains Ktor Native
Versions: 2.0.0 only
Operating Systems: All platforms supported by Ktor Native
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Ktor Native (not the JVM version), specifically version 2.0.0. Any application using SHA1 hashing via Ktor Native 2.0.0 is vulnerable.

📦 What is this software?

Ktor by Jetbrains

View all CVEs affecting Ktor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of cryptographic security leading to authentication bypass, data tampering, and impersonation attacks across all systems using affected Ktor implementations.

🟠

Likely Case

Authentication bypass, session hijacking, and data integrity violations in applications relying on SHA1 hashing for security functions.

🟢

If Mitigated

Limited impact if applications have additional security layers, but cryptographic operations remain fundamentally broken.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is trivial to exploit - any SHA1 hash will match any other SHA1 hash. No special tools or techniques required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.1

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Update Ktor Native dependency to version 2.0.1 or later. 2. Rebuild and redeploy your application. 3. Restart any running services using Ktor Native.

🔧 Temporary Workarounds

Disable SHA1 usage

all

Replace SHA1 hashing with alternative secure hash functions (SHA-256, SHA-3) in application code

Modify application code to use different hash algorithms

🧯 If You Can't Patch

  • Implement additional authentication layers (multi-factor authentication)
  • Monitor for anomalous authentication patterns and hash collisions

🔍 How to Verify

Check if Vulnerable:

Check if your application uses Ktor Native version 2.0.0 in dependency files (build.gradle.kts, pom.xml, etc.)

Check Version:

Check build configuration files or run: ./gradlew dependencies | grep ktor (for Gradle projects)

Verify Fix Applied:

Verify Ktor Native version is 2.0.1 or later in dependency files and rebuilt application

📡 Detection & Monitoring

Log Indicators:

  • Multiple successful authentications with identical hash values
  • Hash collision warnings in security logs

Network Indicators:

  • Unusual authentication patterns
  • Multiple sessions from different credentials showing identical hash values

SIEM Query:

Search for authentication events where hash values are identical across different users or sessions

📊 Metadata

CVE ID: CVE-2022-29930
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-342
Published: May 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29930, you might also want to check these:

CVE-2022-27577 9.1

This vulnerability in SICK MSC800 devices allows attackers to predict TCP initial sequence numbers, ...

Same vulnerability type (CWE-342)