CoreWCF.Primitives SAML Impersonation Vulnerability

A security vulnerability in CoreWCF.Primitives allows full impersonation of any principal the trusted STS could have issued an assertion for, including administrative principals, when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.

Relying-party services hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation) and IdentityConfiguration is wired (UseIdentityConfiguration = true).

Upgrade CoreWCF to v1.8.1 or v1.9.1 immediately.