CVE-2018-8292
Description
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A .NET Core information disclosure vulnerability exposes HTTP authentication data during redirects, affecting multiple .NET Core and PowerShell Core versions.
Vulnerability
An information disclosure vulnerability exists in .NET Core when HTTP authentication information (e.g., Authorization headers) is inadvertently exposed during a redirect. This occurs because the affected runtime versions do not properly scrub credentials when following HTTP redirects. The vulnerability affects .NET Core 1.0.x (runtimes ≤1.0.12), .NET Core 1.1.x (runtimes ≤1.1.9), .NET Core 2.0.x (any runtime), and PowerShell Core 6.0. The issue is also present in the System.Net.Http package versions 2.0.20126.16343, 2.0.20505, 2.0.20710, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.3.0, 4.3.1, 4.3.2, and 4.3.3 [1][2].
Exploitation
An attacker needs no authentication or special network position other than the ability to serve a malicious HTTP redirect to an application making an outbound HTTP request. The attacker can craft a redirect response that points to a controlled endpoint; when the vulnerable .NET Core client follows that redirect, the original authentication information (e.g., Basic auth credentials or bearer tokens) is reused in the new request without stripping, thus exposing the credentials to the attacker's server. No user interaction beyond the application making a vulnerable HTTP request is required [2].
Impact
Successful exploitation allows the attacker to capture HTTP authentication credentials (such as usernames and passwords or tokens) of the .NET Core application making the outbound request. This information disclosure can then be used to further compromise the web application or access protected resources with the stolen credentials. The attacker gains no direct code execution but obtains sensitive authentication data [1][2].
Mitigation
Microsoft released updates on October 9, 2018: .NET Core 1.0.13, 1.1.10, and 2.1.0 (runtime), plus SDK 1.1.11. Developers must migrate any .NET Core 2.0 applications to 2.1 or newer. The System.Net.Http package should be updated to version 4.3.4 or later [2]. Red Hat provided updated packages (rh-dotnetcore10-dotnetcore 1.0.13 and rh-dotnetcore11-dotnetcore 1.1.1) as of RHSA-2018:2902 [3]. No workarounds other than applying the patch are documented; the advisory states mitigation factors are none [2]. This CVE is not listed on the known exploited vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.Net.HttpNuGet | < 4.3.4 | 4.3.4 |
Affected products
3- Microsoft/.NET Corev5Range: 1.0
- Microsoft/PowerShell Corev5Range: 6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- access.redhat.com/errata/RHSA-2018:2902ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-7jgj-8wvc-jh57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8292ghsaADVISORY
- www.securityfocus.com/bid/105548ghsavdb-entryx_refsource_BIDWEB
- github.com/dotnet/announcements/issues/88ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8292ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.