Bug 1636274 (CVE-2018-8292)

Summary: CVE-2018-8292 .NET Core: information disclosure due to authentication information exposed in a redirect
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bodavis, dbhole, jolee, kanderso, mvardhan, omajid, rwagner, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-27 09:43:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1636275    

Description Laura Pardo 2018-10-04 23:13:00 UTC 
A flaw was found in .NET Core. An information disclosure vulnerability in a redirect when authentication information has been added manually to an Authorization header. An attacker who successfully exploited this vulnerability could use the information to further compromise the web application.
Comment 1 errata-xmlrpc 2018-10-10 00:14:54 UTC 
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2018:2902 https://access.redhat.com/errata/RHSA-2018:2902
Comment 4 Scott Gayou 2019-01-11 15:46:28 UTC 
Upstream Patch:
https://github.com/dotnet/corefx/commit/56aae8a7076f283e334b88f642ef6bb7c59e02c3
Comment 5 Scott Gayou 2019-01-11 17:26:36 UTC 
rh-dotnet21-dotnet not impacted. We are currently shipping .NET Core Runtime 2.1.7. This looks to have been fixed first in tag v2.1.0.

```
git tag --contains=7e6396b2
v2.1-preview2
v2.1-rc1
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.4-dependencies
v2.1.5
v2.1.5-dependencies
v2.1.6
v2.1.6-dependencies
v2.1.7
v2.2.0
v2.2.0-dependencies
v2.2.0-preview1
v2.2.0-preview2
v2.2.0-preview3
v2.2.0-preview3-dependencies
v2.2.1
v3.0.0-preview.18571.3
```
Comment 6 Scott Gayou 2019-01-11 17:42:14 UTC 
rh-dotnet22-dotnet not impacted either. Ships with fix.
Comment 7 Scott Gayou 2019-01-11 18:04:29 UTC 
rh-dotnetcore10-dotnetcore is 1.0.13, which has the fix according to upstream. rh-dotnetcore11-dotnetcore is 1.1.10, which is also fixed according to upstream.
Comment 13 Stefan Cornelius 2019-06-14 09:49:14 UTC 
*** Bug 1664219 has been marked as a duplicate of this bug. ***