Vulnerability Details CVE-2020-1045
<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p>
<p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p>
<p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>
Exploit prediction scoring system (EPSS) score
EPSS Score 0.204
EPSS Ranking 95.3%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://access.redhat.com/errata/RHSA-2020:3699
- https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.8/3.1.8.md#changes-in-318
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045
- https://security.snyk.io/vuln/SNYK-RHEL8-DOTNET-1439600
- https://access.redhat.com/errata/RHSA-2020:3699
- https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.8/3.1.8.md#changes-in-318
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045
- https://security.snyk.io/vuln/SNYK-RHEL8-DOTNET-1439600
Products affected by CVE-2020-1045
-
cpe:2.3:a:microsoft:asp.net_core:2.1
-
cpe:2.3:a:microsoft:asp.net_core:2.1.0
-
cpe:2.3:a:microsoft:asp.net_core:2.1.1
-
cpe:2.3:a:microsoft:asp.net_core:2.1.10
-
cpe:2.3:a:microsoft:asp.net_core:2.1.11
-
cpe:2.3:a:microsoft:asp.net_core:2.1.12
-
cpe:2.3:a:microsoft:asp.net_core:2.1.13
-
cpe:2.3:a:microsoft:asp.net_core:2.1.14
-
cpe:2.3:a:microsoft:asp.net_core:2.1.15
-
cpe:2.3:a:microsoft:asp.net_core:2.1.16
-
cpe:2.3:a:microsoft:asp.net_core:2.1.17
-
cpe:2.3:a:microsoft:asp.net_core:2.1.18
-
cpe:2.3:a:microsoft:asp.net_core:2.1.19
-
cpe:2.3:a:microsoft:asp.net_core:2.1.2
-
cpe:2.3:a:microsoft:asp.net_core:2.1.20
-
cpe:2.3:a:microsoft:asp.net_core:2.1.21
-
cpe:2.3:a:microsoft:asp.net_core:2.1.3
-
cpe:2.3:a:microsoft:asp.net_core:2.1.4
-
cpe:2.3:a:microsoft:asp.net_core:2.1.5
-
cpe:2.3:a:microsoft:asp.net_core:2.1.6
-
cpe:2.3:a:microsoft:asp.net_core:2.1.7
-
cpe:2.3:a:microsoft:asp.net_core:2.1.8
-
cpe:2.3:a:microsoft:asp.net_core:2.1.9
-
cpe:2.3:a:microsoft:asp.net_core:3.1
-
cpe:2.3:a:microsoft:asp.net_core:3.1.0
-
cpe:2.3:a:microsoft:asp.net_core:3.1.1
-
cpe:2.3:a:microsoft:asp.net_core:3.1.2
-
cpe:2.3:a:microsoft:asp.net_core:3.1.3
-
cpe:2.3:a:microsoft:asp.net_core:3.1.4
-
cpe:2.3:a:microsoft:asp.net_core:3.1.5
-
cpe:2.3:a:microsoft:asp.net_core:3.1.6
-
cpe:2.3:a:microsoft:asp.net_core:3.1.7
-
cpe:2.3:o:fedoraproject:fedora:32
-
cpe:2.3:o:fedoraproject:fedora:33
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux_aus:8.2
-
cpe:2.3:o:redhat:enterprise_linux_aus:8.4
-
cpe:2.3:o:redhat:enterprise_linux_aus:8.6
-
cpe:2.3:o:redhat:enterprise_linux_eus:8.2
-
cpe:2.3:o:redhat:enterprise_linux_eus:8.4
-
cpe:2.3:o:redhat:enterprise_linux_eus:8.6
-
cpe:2.3:o:redhat:enterprise_linux_tus:8.2
-
cpe:2.3:o:redhat:enterprise_linux_tus:8.4
-
cpe:2.3:o:redhat:enterprise_linux_tus:8.6