CVE-2020-1045

A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.

Published: Sep 11, 2020
Updated: May 4, 2025
CVE: CVE-2020-1045
GHSA: GHSA-hxrm-9w7p-39cc
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
microsoft / asp.net_core	2.1	2.1.21.x
microsoft / asp.net_core	3.1	3.1.8
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
redhat / enterprise_linux	8.0	8.0.x
redhat / enterprise_linux_eus	8.2	8.2.x
redhat / enterprise_linux_aus	8.2	8.2.x
redhat / enterprise_linux_tus	8.2	8.2.x
redhat / enterprise_linux_aus	8.4	8.4.x
redhat / enterprise_linux_tus	8.4	8.4.x
redhat / enterprise_linux_eus	8.4	8.4.x
redhat / enterprise_linux_eus	8.6	8.6.x
redhat / enterprise_linux_tus	8.6	8.6.x
redhat / enterprise_linux_aus	8.6	8.6.x
Microsoft.AspNetCore.Http	-	2.1.22
Microsoft.AspNetCore.App	-	2.1.22
Microsoft.Owin	-	4.1.1
Microsoft.AspNetCore.App.Runtime.linux-arm	3.1.0	3.1.8
Microsoft.AspNetCore.App.Runtime.linux-arm64	3.1.0	3.1.8
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	3.1.0	3.1.8
Microsoft.AspNetCore.App.Runtime.linux-x64	3.1.0	3.1.8
Microsoft.AspNetCore.App.Runtime.osx-x64	3.1.0	3.1.8
Microsoft.AspNetCore.App.Runtime.win-arm	3.1.0	3.1.8
Microsoft.AspNetCore.App.Runtime.win-x64	3.1.0	3.1.8
Microsoft.AspNetCore.App.Runtime.win-x86	3.1.0	3.1.8
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	3.1.0	3.1.8
Microsoft.AspNetCore.App.Runtime.win-arm64	3.1.5	3.1.8

Vulnerability Database

289,599

CVE-2020-1045