GHSA-xjr9-gg9q-jx3vCriticalCVSS 10.0
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
🔗 CVE IDs covered (1)
📋 Description
Impact
Full impersonation of any principal the trusted STS could have issued an assertion for — including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.
Preconditions
Relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true). Attacker can reach the service over the network and knows the trusted STS’s public certificate (public certs are by design discoverable).
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
None
🎯 Affected products2
- nuget/CoreWCF.Primitives:< 1.8.1
- nuget/CoreWCF.Primitives:>= 1.9.0, < 1.9.1