Open mend-bolt-for-github[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
CVE-2020-1045 - High Severity Vulnerability
Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a687fb5cbaf60825500800f7 When using NuGet 3.x this package requires at least version 3.4.
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /aws-dotnet-rest-api-with-dynamodb/src/DotNetServerless.Lambda/DotNetServerless.Lambda.csproj
Path to vulnerable library: /uget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Dependency Hierarchy: - :x: **microsoft.netcore.app.2.1.0.nupkg** (Vulnerable Library)
Found in HEAD commit: dcbe4aefe4b3685f4b15493a01db0f19b118a0c4
Found in base branch: master
Vulnerability Details
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.
The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.
The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.
Publish Date: 2020-09-11
URL: CVE-2020-1045
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-09-11
Fix Resolution: Microsoft.AspNetCore.App - 2.1.22, Microsoft.AspNetCore.All - 2.1.22,Microsoft.NETCore.App - 2.1.22, Microsoft.AspNetCore.Http - 2.1.22
Step up your Open Source Security Game with Mend here