CVE-2020-1045

HIGH

Microsoft ASP.NET Core - Auth Bypass

Title source: llm
STIX 2.1

Description

<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p> <p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p> <p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>

References (6)

Core 6

Scores

CVSS v3 7.5
EPSS 0.2040
EPSS Percentile 95.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

Status published
Products (26)
fedoraproject/fedora 32
fedoraproject/fedora 33
microsoft/asp.net_core 2.1 - 2.1.21
nuget/Microsoft.AspNetCore.App 0 - 2.1.22NuGet
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm 3.1.0 - 3.1.8NuGet
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64 3.1.0 - 3.1.8NuGet
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 3.1.0 - 3.1.8NuGet
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64 3.1.0 - 3.1.8NuGet
nuget/Microsoft.AspNetCore.App.Runtime.linux-x64 3.1.0 - 3.1.8NuGet
nuget/Microsoft.AspNetCore.App.Runtime.osx-x64 3.1.0 - 3.1.8NuGet
... and 16 more
Published Sep 11, 2020
Tracked Since Feb 18, 2026