7.5

CVE-2020-1045

Microsoft ASP.NET Core Security Feature Bypass Vulnerability

<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p>
<p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p>
<p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MicrosoftAsp.Net Core Version >= 2.1 <= 2.1.21
MicrosoftAsp.Net Core Version >= 3.1 < 3.1.8
FedoraprojectFedora Version32
FedoraprojectFedora Version33
RedhatEnterprise Linux Version8.0
RedhatEnterprise Linux Aus Version8.2
RedhatEnterprise Linux Aus Version8.4
RedhatEnterprise Linux Aus Version8.6
RedhatEnterprise Linux Eus Version8.2
RedhatEnterprise Linux Eus Version8.4
RedhatEnterprise Linux Eus Version8.6
RedhatEnterprise Linux Tus Version8.2
RedhatEnterprise Linux Tus Version8.4
RedhatEnterprise Linux Tus Version8.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.62% 0.93
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
secure@microsoft.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://access.redhat.com/errata/RHSA-2020:3699
Third Party Advisory
https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.8/3.1.8.md#changes-in-318
Third Party Advisory
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045
Patch
Vendor Advisory
https://security.snyk.io/vuln/SNYK-RHEL8-DOTNET-1439600
Third Party Advisory