A flaw was found in .NET Core. An information disclosure vulnerability in a redirect when authentication information has been added manually to an Authorization header. An attacker who successfully exploited this vulnerability could use the information to further compromise the web application.
This issue has been addressed in the following products: .NET Core on Red Hat Enterprise Linux Via RHSA-2018:2902 https://access.redhat.com/errata/RHSA-2018:2902
Upstream Patch: https://github.com/dotnet/corefx/commit/56aae8a7076f283e334b88f642ef6bb7c59e02c3
rh-dotnet21-dotnet not impacted. We are currently shipping .NET Core Runtime 2.1.7. This looks to have been fixed first in tag v2.1.0. ``` git tag --contains=7e6396b2 v2.1-preview2 v2.1-rc1 v2.1.0 v2.1.1 v2.1.2 v2.1.3 v2.1.4 v2.1.4-dependencies v2.1.5 v2.1.5-dependencies v2.1.6 v2.1.6-dependencies v2.1.7 v2.2.0 v2.2.0-dependencies v2.2.0-preview1 v2.2.0-preview2 v2.2.0-preview3 v2.2.0-preview3-dependencies v2.2.1 v3.0.0-preview.18571.3 ```
rh-dotnet22-dotnet not impacted either. Ships with fix.
rh-dotnetcore10-dotnetcore is 1.0.13, which has the fix according to upstream. rh-dotnetcore11-dotnetcore is 1.1.10, which is also fixed according to upstream.
*** Bug 1664219 has been marked as a duplicate of this bug. ***