gsd-2020-1045
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2020-1045",
    "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
    "id": "GSD-2020-1045",
    "references": [
      "https://access.redhat.com/errata/RHSA-2020:3699",
      "https://access.redhat.com/errata/RHSA-2020:3697",
      "https://linux.oracle.com/cve/CVE-2020-1045.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-1045"
      ],
      "details": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
      "id": "GSD-2020-1045",
      "modified": "2023-12-13T01:21:57.661467Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2020-1045",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "ASP.NET Core 2.1",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "2.0",
                          "version_value": "publication"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "ASP.NET Core 3.1",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "3.0",
                          "version_value": "publication"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Microsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "\u003cp\u003eA security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.\u003c/p\u003e\n\u003cp\u003eThe ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.\u003c/p\u003e\n\u003cp\u003eThe security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.\u003c/p\u003e\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Security Feature Bypass"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "refsource": "MISC",
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/"
          },
          {
            "name": "https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.8/3.1.8.md#changes-in-318",
            "refsource": "MISC",
            "url": "https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.8/3.1.8.md#changes-in-318"
          },
          {
            "name": "https://security.snyk.io/vuln/SNYK-RHEL8-DOTNET-1439600",
            "refsource": "MISC",
            "url": "https://security.snyk.io/vuln/SNYK-RHEL8-DOTNET-1439600"
          },
          {
            "name": "https://access.redhat.com/errata/RHSA-2020:3699",
            "refsource": "MISC",
            "url": "https://access.redhat.com/errata/RHSA-2020:3699"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[2.1,3.1]",
          "affected_versions": "All versions starting from 2.1 up to 3.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2020-10-02",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 2.1, all versions after 3.1",
          "package_slug": "nuget/Microsoft.AspNetCore.All",
          "pubdate": "2020-09-11",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/dotnet/announcements/issues/165"
          ],
          "uuid": "0fa8c9d0-386f-4331-b825-2746499e224f"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-03",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Ref",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "abfae8f0-eecf-45e4-8e3b-22108e09ca97"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.linux-arm",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "17c352af-7f6d-4111-b308-c68a6e5ee2ac"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "705a3e72-dce6-4975-842c-84b4e30c1add"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "bde90e24-ef84-486e-9fef-4f6da63b3588"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "021b1353-16b3-47bc-b65b-2a05cb83dc4f"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.linux-x64",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "f4039477-e166-4cf1-b9c9-bbd9fad431e4"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.osx-x64",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "9c7e5db1-b093-4db7-bc8d-b6f9fddb10cb"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.win-arm",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "209a72d6-60dd-492b-81e7-2cfa0f0ef859"
        },
        {
          "affected_range": "[3.1.5,3.1.8)",
          "affected_versions": "All versions starting from 3.1.5 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-09-06",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.5, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.win-arm64",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "1a7abad4-5ecc-452b-885a-e2ba445e08a2"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.win-x64",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "996ccdb8-ea61-4982-89c6-a29b0005abd3"
        },
        {
          "affected_range": "[3.1.0,3.1.8)",
          "affected_versions": "All versions starting from 3.1.0 before 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.1.8",
          "package_slug": "nuget/Microsoft.AspNetCore.App.Runtime.win-x86",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "c1fb356b-5068-4ab4-a323-cc560240191d"
        },
        {
          "affected_range": "(,2.1.21]",
          "affected_versions": "All versions up to 2.1.21",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "2.1.22"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions after 2.1.21",
          "package_slug": "nuget/Microsoft.AspNetCore.App",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 2.1.22 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "0d864951-8603-4073-a3fc-3704d4bf5376"
        },
        {
          "affected_range": "(,2.1.22)",
          "affected_versions": "All versions before 2.1.22",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-07-08",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "2.1.22"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions starting from 2.1.22",
          "package_slug": "nuget/Microsoft.AspNetCore.Http",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 2.1.22 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "744de9f2-7edb-4e53-976c-d20777c420f8"
        },
        {
          "affected_range": "[2.1.21],[3.1.7]",
          "affected_versions": "Version 2.1.21, version 3.1.7",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-07-28",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "2.1.22",
            "3.1.8"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions before 2.1.21, all versions after 2.1.21 before 3.1.7, all versions after 3.1.7",
          "package_slug": "nuget/Microsoft.AspNetCore.Owin",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to versions 2.1.22, 3.1.8 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "cd03ddb0-8c9e-4e84-a7ee-5fd290d7e981"
        },
        {
          "affected_range": "(,4.1.1)",
          "affected_versions": "All versions before 4.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-26",
          "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka \u0027Microsoft ASP.NET Core Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "4.1.1"
          ],
          "identifier": "CVE-2020-1045",
          "identifiers": [
            "GHSA-hxrm-9w7p-39cc",
            "CVE-2020-1045"
          ],
          "not_impacted": "All versions starting from 4.1.1",
          "package_slug": "nuget/Microsoft.Owin",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 4.1.1 or above.",
          "title": "Cookie parsing failure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045",
            "https://github.com/github/advisory-database/issues/302",
            "https://github.com/dotnet/aspnetcore/pull/24264",
            "https://github.com/dotnet/announcements/issues/165",
            "https://github.com/dotnet/aspnetcore/issues/25701",
            "https://github.com/dotnet/aspnetcore/issues/25701#issuecomment-689434477",
            "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
          ],
          "uuid": "bf3c17ba-ebed-4011-a2ff-468ef6217380"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A6237BE3-2B52-4E81-BEB4-AC370C79CD6F",
                    "versionEndIncluding": "2.1.21",
                    "versionStartIncluding": "2.1",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "30C25D29-DA72-404C-934E-7CCA3CCB8793",
                    "versionEndExcluding": "3.1.8",
                    "versionStartIncluding": "3.1",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                    "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux_aus:8.2:*:*:*:*:*:*:*",
                    "matchCriteriaId": "7883DE07-470D-4160-9767-4F831B75B9A8",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux_aus:8.4:*:*:*:*:*:*:*",
                    "matchCriteriaId": "4D5F4FA7-E5C5-4C23-BDA8-36A36972E4F4",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux_aus:8.6:*:*:*:*:*:*:*",
                    "matchCriteriaId": "5CA4F12A-5BC5-4D75-8F20-80D8BB2C5BF2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*",
                    "matchCriteriaId": "831F0F47-3565-4763-B16F-C87B1FF2035E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*",
                    "matchCriteriaId": "0E3F09B5-569F-4C58-9FCA-3C0953D107B5",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*",
                    "matchCriteriaId": "6C3741B8-851F-475D-B428-523F4F722350",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux_tus:8.2:*:*:*:*:*:*:*",
                    "matchCriteriaId": "9C24797C-0397-4D4F-ADC3-3B99095DBB35",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux_tus:8.4:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BF14A415-15BD-4A6C-87CF-675E09390474",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux_tus:8.6:*:*:*:*:*:*:*",
                    "matchCriteriaId": "C237415F-33FE-4686-9B19-A0916BF75D2D",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "\u003cp\u003eA security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.\u003c/p\u003e\n\u003cp\u003eThe ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.\u003c/p\u003e\n\u003cp\u003eThe security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.\u003c/p\u003e\n"
          },
          {
            "lang": "es",
            "value": "Se presenta una vulnerabilidad de omisi\u00f3n de la caracter\u00edstica de seguridad en la manera en que Microsoft ASP.NET Core analiza los nombres de cookies codificados. El analizador de cookies de ASP.NET Core decodifica cadenas de cookies completas que podr\u00edan permitir a un atacante malicioso establecer una segunda cookie con el nombre codificado en porcentaje. La actualizaci\u00f3n de seguridad aborda la vulnerabilidad al corregir la manera en que el analizador de cookies ASP.NET Core maneja los nombres codificados, tambi\u00e9n se conoce como \"Microsoft ASP.NET Core Security Feature Bypass Vulnerability\""
          }
        ],
        "id": "CVE-2020-1045",
        "lastModified": "2023-12-31T22:15:55.070",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "NONE",
                "integrityImpact": "PARTIAL",
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "secure@microsoft.com",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Secondary"
            }
          ]
        },
        "published": "2020-09-11T17:15:18.307",
        "references": [
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:3699"
          },
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Release Notes",
              "Third Party Advisory"
            ],
            "url": "https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.8/3.1.8.md#changes-in-318"
          },
          {
            "source": "secure@microsoft.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LN2FUVBSVPGK7AU3NMLO3YR6CGONQPB/"
          },
          {
            "source": "secure@microsoft.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ASICXQXS4M7MTAF6SGQMCLCA63DLCUT3/"
          },
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Patch",
              "Vendor Advisory"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045"
          },
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-RHEL8-DOTNET-1439600"
          }
        ],
        "sourceIdentifier": "secure@microsoft.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "NVD-CWE-noinfo"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.