QwikSec

Security Database

CVE

CWE

Training

CVE-2020-1045

Published: Sep 11, 2020

Modified: Nov 18, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p> <p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p> <p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>

Vendor	Product	Versions
Microsoft	ASP.NET Core 2.1	affected `2.0 - < publication`
Microsoft	ASP.NET Core 3.1	affected `3.0 - < publication`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045

FEDORA-2020-e2deb72e0f

vendor-advisory

FEDORA-2020-48fa1ad65c

vendor-advisory

https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.8/3.1.8.md#changes-in-318

https://security.snyk.io/vuln/SNYK-RHEL8-DOTNET-1439600

https://access.redhat.com/errata/RHSA-2020:3699

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.