Vulnerability CVE-2020-1045: Information

Description

<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p> <p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p> <p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References to Advisories, Solutions, and Tools

1. Affected configurations:

   1. Configuration 1

      cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*

      Start including

      2.1

      End including

      2.1.21

      ---

      cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*

      Start including

      3.1

      End excliding

      3.1.8

      ---

      Configuration 2

      cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

      ---

      Configuration 3

      cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_aus:8.2:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_tus:8.2:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_aus:8.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_tus:8.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_tus:8.6:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_aus:8.6:*:*:*:*:*:*:*

      ---