CVE-2024-54143 – openwrt/asu allows build artifact poisoning via truncated SHA-256 hash and command injection

https://notcve.org/view.php?id=CVE-2024-54143

06 Dec 2024 — openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users. This can be combined with other attacks, such as a command ... • https://github.com/openwrt/asu/commit/920c8a13d97b4d4095f0d939cf0aaae777e0f87e • CWE-328: Use of Weak Hash •