CVE-2021-44150: Use of Sha-1 in tusdotnet
3.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30954%
CWE
Published
11/29/2021
Updated
2/1/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
tusdotnet | nuget | <= 2.5.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from explicit use of SHA-1
in multiple core components: 1) Checksum
calculation implementation (CalculateSha1
), 2) Checksum
verification during chunk processing, 3) Algorithm
restriction in the checksum
store interface, and 4) Hardcoded SHA-1
fallback mechanism. SHA-1
's known collision vulnerabilities (demonstrated by SHAttered
attack) make these functions risky as they enable spoofing of file content through crafted collisions. The code references from GitHub
issues and CWE-327
classification confirm the cryptographic weakness pattern.