Bug 1636274 (CVE-2018-8292) - CVE-2018-8292 .NET Core: information disclosure due to authentication information exposed in a redirect
Summary: CVE-2018-8292 .NET Core: information disclosure due to authentication informa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-8292
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1664219 (view as bug list)
Depends On:
Blocks: 1636275
TreeView+ depends on / blocked
 
Reported: 2018-10-04 23:13 UTC by Laura Pardo
Modified: 2022-03-13 15:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-27 09:43:12 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3870751 0 None None None 2019-01-29 20:22:18 UTC
Red Hat Product Errata RHSA-2018:2902 0 None None None 2018-10-10 00:15:01 UTC

Description Laura Pardo 2018-10-04 23:13:00 UTC
A flaw was found in .NET Core. An information disclosure vulnerability in a redirect when authentication information has been added manually to an Authorization header. An attacker who successfully exploited this vulnerability could use the information to further compromise the web application.

Comment 1 errata-xmlrpc 2018-10-10 00:14:54 UTC
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2018:2902 https://access.redhat.com/errata/RHSA-2018:2902

Comment 5 Scott Gayou 2019-01-11 17:26:36 UTC
rh-dotnet21-dotnet not impacted. We are currently shipping .NET Core Runtime 2.1.7. This looks to have been fixed first in tag v2.1.0.

```
git tag --contains=7e6396b2
v2.1-preview2
v2.1-rc1
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.4-dependencies
v2.1.5
v2.1.5-dependencies
v2.1.6
v2.1.6-dependencies
v2.1.7
v2.2.0
v2.2.0-dependencies
v2.2.0-preview1
v2.2.0-preview2
v2.2.0-preview3
v2.2.0-preview3-dependencies
v2.2.1
v3.0.0-preview.18571.3
```

Comment 6 Scott Gayou 2019-01-11 17:42:14 UTC
rh-dotnet22-dotnet not impacted either. Ships with fix.

Comment 7 Scott Gayou 2019-01-11 18:04:29 UTC
rh-dotnetcore10-dotnetcore is 1.0.13, which has the fix according to upstream. rh-dotnetcore11-dotnetcore is 1.1.10, which is also fixed according to upstream.

Comment 13 Stefan Cornelius 2019-06-14 09:49:14 UTC
*** Bug 1664219 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.