ID

VAR-201810-1125


CVE

CVE-2018-8292


TITLE

Microsoft NET Core and PowerShell Core Vulnerability in which information is disclosed

Trust: 0.8

sources: JVNDB: JVNDB-2018-010455

DESCRIPTION

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0. An attacker can exploit this issue to obtain sensitive information. Successful exploits will lead to other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: .NET Core on Red Hat Enterprise Linux security update Advisory ID: RHSA-2018:2902-01 Product: .NET Core on Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:2902 Issue date: 2018-10-09 CVE Names: CVE-2018-8292 ===================================================================== 1. Summary: Updates for rh-dotnetcore11-dotnetcore, and rh-dotnetcore10-dotnetcore are now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. These versions correspond to the October 2018 security release by .NET Core upstream projects. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.src.rpm x86_64: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.13-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.src.rpm x86_64: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.10-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.src.rpm x86_64: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.13-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.src.rpm x86_64: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.10-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.src.rpm x86_64: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.13-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.src.rpm x86_64: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.10-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-8292 https://access.redhat.com/security/updates/classification/#moderate https://github.com/dotnet/announcements/issues/88 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW71EydzjgjWX9erEAQhK3Q/8DwPo83R6HBwUmO2gO56n0ci7BOOZ1HfH VYRSvXSPaBf8fbFSaZN5+OJhPBJfnCiEIgO8cSuMYf3zWebkIONZnkzB55BJqD0N Z7wS2R4bI6Mw33K9ET2WhoUF7JiZDU+Spu7T2TW9roAms7U7IJBXMi52N3pAS3yQ gzvB8Fuci3xsGqyIYMgt0SmqnlkqbZmR35Yq7e3yxMzAlY/lp7tfQ/ZxIHfxDKh3 NrT8nKj58i0WGlOKxlWsTDadHwrCe9YoZVn8FRJJdCDE+tjW6KNmXKOy08qPfp3n LuikowCnqyQh6CoKJ91q47zsq7j8hisj0z7CgMLxO2Y4Gk9hSni5ynlxlDUYWDrB f9mi4LlnBp1Dwjnv7IJee9SXR4M7fIuwbexhBv8OGzijwXvHZkfZ5aceTAqrBYIb INZNaHwGQIgwkHkanz3N6pPbrfXTvOfcIWmrctyYfI05RsW4FRXm1dh2tF7y1uK7 FgWNvDxAAZqYhk2SBYPtUfQNkNktkLZ0M76QEXcgCrYr5OTTCM92pxZjLPmbYx2Y +1Kl+cSvk3nschXLbuXjGtWiuBrJXtdDW8ytt2bC5lyxylo8mYSl7G5V0eDifMKs sdHtMLM5S+4xrAQ4avNEFgqz4h78s6mY4Dq9fXkZUbYXLFLbaIb/foGUnnWJ5/az 9K+HIBmUA6I= =+FXG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.07

sources: NVD: CVE-2018-8292 // JVNDB: JVNDB-2018-010455 // BID: 105548 // VULMON: CVE-2018-8292 // PACKETSTORM: 149745

AFFECTED PRODUCTS

vendor:microsoftmodel:powershell corescope:eqversion:6.0

Trust: 2.7

vendor:microsoftmodel:asp.net corescope:eqversion:2.1

Trust: 1.9

vendor:microsoftmodel:asp.net corescope:eqversion:1.1

Trust: 1.9

vendor:microsoftmodel:asp.net corescope:eqversion:1.0

Trust: 1.9

vendor:microsoftmodel:.net corescope:eqversion:2.1

Trust: 1.1

vendor:microsoftmodel:.net corescope:eqversion:1.1

Trust: 1.1

vendor:microsoftmodel:.net corescope:eqversion:1.0

Trust: 1.1

sources: BID: 105548 // JVNDB: JVNDB-2018-010455 // CNNVD: CNNVD-201810-492 // NVD: CVE-2018-8292

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8292
value: HIGH

Trust: 1.0

NVD: CVE-2018-8292
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201810-492
value: MEDIUM

Trust: 0.6

VULMON: CVE-2018-8292
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-8292
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2018-8292
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULMON: CVE-2018-8292 // JVNDB: JVNDB-2018-010455 // CNNVD: CNNVD-201810-492 // NVD: CVE-2018-8292

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2018-010455 // NVD: CVE-2018-8292

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-492

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201810-492

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010455

PATCH

title:CVE-2018-8292 | .NET Core Information Disclosure Vulnerabilityurl:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8292

Trust: 0.8

title:CVE-2018-8292 | .NET Core の情報漏えいの脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-8292

Trust: 0.8

title:Microsoft .NET Core and PowerShell Core Repair measures for information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85661

Trust: 0.6

title:Red Hat: Moderate: .NET Core on Red Hat Enterprise Linux security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182902 - Security Advisory

Trust: 0.1

title:Red Hat: CVE-2018-8292url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-8292

Trust: 0.1

title:TrivyDepsFalsePositiveurl:https://github.com/StasJS/TrivyDepsFalsePositive

Trust: 0.1

title:OssIndexClienturl:https://github.com/SimonCropp/OssIndexClient

Trust: 0.1

sources: VULMON: CVE-2018-8292 // JVNDB: JVNDB-2018-010455 // CNNVD: CNNVD-201810-492

EXTERNAL IDS

db:NVDid:CVE-2018-8292

Trust: 2.9

db:BIDid:105548

Trust: 1.4

db:JVNDBid:JVNDB-2018-010455

Trust: 0.8

db:CNNVDid:CNNVD-201810-492

Trust: 0.6

db:VULMONid:CVE-2018-8292

Trust: 0.1

db:PACKETSTORMid:149745

Trust: 0.1

sources: VULMON: CVE-2018-8292 // BID: 105548 // JVNDB: JVNDB-2018-010455 // PACKETSTORM: 149745 // CNNVD: CNNVD-201810-492 // NVD: CVE-2018-8292

REFERENCES

url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-8292

Trust: 2.0

url:https://access.redhat.com/errata/rhsa-2018:2902

Trust: 1.3

url:http://www.securityfocus.com/bid/105548

Trust: 1.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-8292

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8292

Trust: 0.8

url:https://www.ipa.go.jp/security/ciadr/vul/20181010-ms.html

Trust: 0.8

url:http://www.jpcert.or.jp/at/2018/at180041.html

Trust: 0.8

url:https://github.com/dotnet/announcements/issues/88

Trust: 0.4

url:http://www.microsoft.com

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/200.html

Trust: 0.1

url:https://github.com/stasjs/trivydepsfalsepositive

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/simoncropp/ossindexclient

Trust: 0.1

url:https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/105548

Trust: 0.1

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-8292

Trust: 0.1

url:https://bugzilla.redhat.com/):

Trust: 0.1

url:https://access.redhat.com/security/team/key/

Trust: 0.1

url:https://access.redhat.com/articles/11258

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.1

url:https://access.redhat.com/security/team/contact/

Trust: 0.1

sources: VULMON: CVE-2018-8292 // BID: 105548 // JVNDB: JVNDB-2018-010455 // PACKETSTORM: 149745 // CNNVD: CNNVD-201810-492 // NVD: CVE-2018-8292

CREDITS

Microsoft

Trust: 0.3

sources: BID: 105548

SOURCES

db:VULMONid:CVE-2018-8292
db:BIDid:105548
db:JVNDBid:JVNDB-2018-010455
db:PACKETSTORMid:149745
db:CNNVDid:CNNVD-201810-492
db:NVDid:CVE-2018-8292

LAST UPDATE DATE

2024-08-14T14:39:12.181000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2018-8292date:2018-12-06T00:00:00
db:BIDid:105548date:2018-10-09T00:00:00
db:JVNDBid:JVNDB-2018-010455date:2018-12-14T00:00:00
db:CNNVDid:CNNVD-201810-492date:2018-10-11T00:00:00
db:NVDid:CVE-2018-8292date:2018-12-06T14:46:36.853

SOURCES RELEASE DATE

db:VULMONid:CVE-2018-8292date:2018-10-10T00:00:00
db:BIDid:105548date:2018-10-09T00:00:00
db:JVNDBid:JVNDB-2018-010455date:2018-12-14T00:00:00
db:PACKETSTORMid:149745date:2018-10-10T17:38:30
db:CNNVDid:CNNVD-201810-492date:2018-10-10T00:00:00
db:NVDid:CVE-2018-8292date:2018-10-10T13:29:01.213