CVE-2020-1045: Microsoft ASP.NET Core Security Feature Bypass Vulnerability
First published: Fri Aug 28 2020(Updated: )
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.
Credit: secure@microsoft.com secure@microsoft.com secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| nuget/Microsoft.AspNetCore.Http | <2.1.22 | 2.1.22 |
| nuget/Microsoft.AspNetCore.App.Runtime.win-arm64 | >=3.1.5<3.1.8 | 3.1.8 |
| nuget/Microsoft.AspNetCore.App.Runtime.win-x86 | >=3.1.0<3.1.8 | 3.1.8 |
| nuget/Microsoft.AspNetCore.App.Runtime.win-x64 | >=3.1.0<3.1.8 | 3.1.8 |
| nuget/Microsoft.AspNetCore.App.Runtime.win-arm | >=3.1.0<3.1.8 | 3.1.8 |
| nuget/Microsoft.AspNetCore.App.Runtime.osx-x64 | >=3.1.0<3.1.8 | 3.1.8 |
| nuget/Microsoft.AspNetCore.App.Runtime.linux-x64 | >=3.1.0<3.1.8 | 3.1.8 |
| nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >=3.1.0<3.1.8 | 3.1.8 |
| nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >=3.1.0<3.1.8 | 3.1.8 |
| nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64 | >=3.1.0<3.1.8 | 3.1.8 |
| nuget/Microsoft.AspNetCore.App.Runtime.linux-arm | >=3.1.0<3.1.8 | 3.1.8 |
| nuget/Microsoft.Owin | <4.1.1 | 4.1.1 |
| nuget/Microsoft.AspNetCore.App | <=2.1.21 | 2.1.22 |
| Microsoft ASP.NET Core | >=2.1<=2.1.21 | |
| Microsoft ASP.NET Core | >=3.1<3.1.8 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Aus | =8.2 | |
| Redhat Enterprise Linux Aus | =8.4 | |
| Redhat Enterprise Linux Aus | =8.6 | |
| Redhat Enterprise Linux Eus | =8.2 | |
| Redhat Enterprise Linux Eus | =8.4 | |
| Redhat Enterprise Linux Eus | =8.6 | |
| Redhat Enterprise Linux Tus | =8.2 | |
| Redhat Enterprise Linux Tus | =8.4 | |
| Redhat Enterprise Linux Tus | =8.6 | |
| >=2.1<=2.1.21 | ||
| >=3.1<3.1.8 | ||
| =32 | ||
| =33 | ||
| =8.0 | ||
| =8.2 | ||
| =8.4 | ||
| =8.6 | ||
| =8.2 | ||
| =8.4 | ||
| =8.6 | ||
| =8.2 | ||
| =8.4 | ||
| =8.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-1045
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045
- https://github.com/github/advisory-database/issues/302
- https://github.com/dotnet/aspnetcore/pull/24264
- https://github.com/dotnet/announcements/issues/165
- https://github.com/dotnet/aspnetcore/issues/25701
- https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477
- https://access.redhat.com/errata/RHSA-2020:3699
- https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.8/3.1.8.md#changes-in-318
- https://security.snyk.io/vuln/SNYK-RHEL8-DOTNET-1439600
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/
- https://github.com/advisories/GHSA-hxrm-9w7p-39cc (Advisory)
- https://github.com/dotnet/aspnetcore/issues/23578
- https://access.redhat.com/errata/RHSA-2020:3697
- https://access.redhat.com/security/cve/cve-2020-1045
- https://bugzilla.redhat.com/show_bug.cgi?id=1873451
Frequently Asked Questions
What is CVE-2020-1045?
CVE-2020-1045 is a security feature bypass vulnerability in Microsoft ASP.NET Core.
What is the severity of CVE-2020-1045?
The severity of CVE-2020-1045 is high (7.5).
Which software is affected by CVE-2020-1045?
Microsoft ASP.NET Core versions 2.1.21 to 2.1 and 3.1.8 to 3.1 are affected by CVE-2020-1045.
How does CVE-2020-1045 work?
CVE-2020-1045 allows a malicious attacker to set a second cookie with a percent-encoded name by exploiting how ASP.NET Core parses encoded cookie names.
How can I fix CVE-2020-1045?
Update to the patched versions of Microsoft ASP.NET Core (2.1.21 or later for 2.1.x versions, 3.1.8 or later for 3.1.x versions).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/github-advisory
- source/GitHub
- alias/GHSA-hxrm-9w7p-39cc
- alias/CVE-2020-1045
- collector/github-advisory-latest
- collector/mitre-cve
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- package-manager/nuget
- vendor/microsoft
- canonical/microsoft asp.net core
- version/microsoft asp.net core/2.1
- version/microsoft asp.net core/2.1.21
- version/microsoft asp.net core/3.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux aus
- version/redhat enterprise linux aus/8.2
- version/redhat enterprise linux aus/8.4
- version/redhat enterprise linux aus/8.6
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/8.2
- version/redhat enterprise linux eus/8.4
- version/redhat enterprise linux eus/8.6
- canonical/redhat enterprise linux tus
- version/redhat enterprise linux tus/8.2
- version/redhat enterprise linux tus/8.4
- version/redhat enterprise linux tus/8.6