Miggo Logo

CVE-2021-44150: Use of Sha-1 in tusdotnet

3.1

CVSS Score
3.1

Basic Information

EPSS Score
0.30954%
Published
11/29/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tusdotnetnuget<= 2.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from explicit use of SHA-1 in multiple core components: 1) Checksum calculation implementation (CalculateSha1), 2) Checksum verification during chunk processing, 3) Algorithm restriction in the checksum store interface, and 4) Hardcoded SHA-1 fallback mechanism. SHA-1's known collision vulnerabilities (demonstrated by SHAttered attack) make these functions risky as they enable spoofing of file content through crafted collisions. The code references from GitHub issues and CWE-327 classification confirm the cryptographic weakness pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Wit**r*wn **t*r r*vi*win* t*is *V*, w* **v* wit**r*wn t*is **visory *u* to it not **vin* **tu*l s**urity imp**t. # Ori*in*l **visory T** *li*nt in tus*otn*t t*rou** *.*.* r*li*s on S**-* to pr*v*nt spoo*in* o* *il* *ont*nt.

Reasoning

T** vuln*r**ility st*ms *rom *xpli*it us* o* `S**-*` in multipl* *or* *ompon*nts: *) `****ksum` **l*ul*tion impl*m*nt*tion (`**l*ul*t*S***`), *) `****ksum` v*ri*i**tion *urin* **unk pro**ssin*, *) `*l*orit*m` r*stri*tion in t** `****ksum` stor* int*r