A flaw was found in .NET Core. An information disclosure vulnerability in a redirect when authentication information has been added manually to an Authorization header. An attacker who successfully exploited this vulnerability could use the information to further compromise the web application.
This issue has been addressed in the following products:
.NET Core on Red Hat Enterprise Linux
Via RHSA-2018:2902 https://access.redhat.com/errata/RHSA-2018:2902
rh-dotnet21-dotnet not impacted. We are currently shipping .NET Core Runtime 2.1.7. This looks to have been fixed first in tag v2.1.0.
git tag --contains=7e6396b2
rh-dotnet22-dotnet not impacted either. Ships with fix.
rh-dotnetcore10-dotnetcore is 1.0.13, which has the fix according to upstream. rh-dotnetcore11-dotnetcore is 1.1.10, which is also fixed according to upstream.
*** Bug 1664219 has been marked as a duplicate of this bug. ***