Vulnerability

CVE-2020-1045

 Report advisory or correction

CVSS Score 5.0 medium

CVSS Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE

CWE-noinfo

References

https://github.com/dotnet/announcements/issues/165
https://github.com/dotnet/aspnetcore/issues/23578
https://github.com/dotnet/aspnetcore/issues/25701
https://github.com/dotnet/aspnetcore/pull/23579
https://github.com/dotnet/aspnetcore/pull/24264
https://github.com/dotnet/aspnetcore/pull/24389
https://github.com/dotnet/core/blob/master/release-notes/3.1/3.1.8/3.1.8.md#cve-2020-1045--microsoft-aspnet-core-security-feature-bypass-vulnerability
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1045
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1045

[CVE-2020-1045] CWE-noinfo

Description

<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p> <p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p> <p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See Microsoft.AspNetCore.Http package information