HIGH 8.8

GHSA-3wcj-rg8q-9cqv

Open redirect in ASP.NET Core

Details

ASP.NET Core 2.0 allows an attacker to steal log-in session information such as cookies or authentication tokens via a specially crafted URL aka "ASP.NET Core Elevation Of Privilege Vulnerability".

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / Microsoft.AspNetCore.All

Introduced in: 2.0.0 Fixed in: 2.0.3

Fix dotnet add package Microsoft.AspNetCore.All --version 2.0.3

NuGet / Microsoft.AspNetCore.Mvc.Core

Introduced in: 2.0.0 Fixed in: 2.0.1

Fix dotnet add package Microsoft.AspNetCore.Mvc.Core --version 2.0.1

References

https://nvd.nist.gov/vuln/detail/CVE-2017-11879 [ADVISORY]
https://github.com/aspnet/Announcements/issues/277 [WEB]
https://github.com/github/advisory-database/issues/302 [WEB]
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11879 [WEB]