CollabNet Subversion Edge weak password storage mechanism

Type securityvulns
Reporter Securityvulns
Modified 2015-07-05T00:00:00


Vuln Title: The CollabNet Subversion Edge stores passwords as unsalted MD5 hashes

Date: 28.06.2015

Author: otr

Software Link:

Vendor: CollabNet

Version: 4.0.11

Tested on: Fedora Linux

Type: Insecure password storage

Risk: Medium

Status: public/fixed

Fixed version: 5.0


2014-10-09 Flaw Discovered 2014-10-20 Vendor contacted 2014-10-21 Vendor response 2014-12-08 Vendor fix proposal 2014-12-08 Extension of embargo to 19.4.2015 2015-05-04 Extension of embargo until release of version 5.0 2015-05-18 Release of version 5.0 and public disclosure


The CollabNet Subversion Edge Management stores passwords as unsalted MD5 hashes. Unsalted MD5 hashes can easily be cracked by brute forcing the password.

Fix proposal:

Use a strong password storage algorithm like scrypt or PBKDF2.

Vendor fix:

We opted to go with bcrypt. It has more usage than scrypt and does not have any known vulnerabilities; it is also more easily supported with the subversion server, not just the Edge admin console. The strength factor is configurable.