CoreWCF.Primitives: Unauthenticated Signature Bypass via Crafted SOAP Header

A security vulnerability in CoreWCF.Primitives allows an unauthenticated remote attacker to bypass signature verification by placing a crafted SOAP header before wsse:Security, causing the server to verify an attacker-supplied signature instead of the one in the security header.

Users of CoreWCF v1.8.0 and v1.9.0 whose endpoints are configured with an endorsing supporting token binding.

Upgrade to CoreWCF v1.8.1 or v1.9.1, or apply the workaround of using a security token resolver that only accepts references to issuer-pinned X.509 chains.