Bugzilla – Bug 1111316
VUL-0: CVE-2018-8292: mono-core: information disclosure due to authentication information exposed in a redirect
Last modified: 2018-11-01 22:44:48 UTC
rh#1636274 A flaw was found in .NET Core. An information disclosure vulnerability in a redirect when authentication information has been added manually to an Authorization header. An attacker who successfully exploited this vulnerability could use the information to further compromise the web application. System.Net.Http is also in mono-core. I have a hard time assessing if we're affected by this based on the available information. Do you have more knowledge of this package? References: https://bugzilla.redhat.com/show_bug.cgi?id=1636274 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8292 https://rhn.redhat.com/errata/RHSA-2018-2902.html
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8292.html Notes mdeslaur> fix in 1.1.10 is: mdeslaur> https://github.com/dotnet/corefx/commit/56aae8a7076f283e334b88f642ef6bb7c59e02c3 mdeslaur> this code doesn't look like it's present in the mono package
Checked with the Mono team. The issue should not affect us. https://github.com/mono/mono/issues/11376 Closing bug as INVALID.