dotnet · CoreWCF.PrimitivesCritical
CoreWCF.Primitives SAML Token Signature Verification Bypass
When a service validates SAML tokens using a non-X.
What changed
When a service validates SAML tokens using a non-X.509 method, the final signature verification is skipped.
Who it affects
Services using CoreWCF.Primitives that authenticate with SAML tokens via an out-of-band token resolver holding a non-X.509 SecurityToken (e.g., BinarySecretSecurityToken) referenced in the assertion's <KeyInfo>.
What to do today
Upgrade to CoreWCF v1.8.1 or v1.9.1 immediately.
The trail
Collected→
Audited→
Written→
Published