CVE-2019-1006

CWE-295 — Improper Certificate Validation CWE-79 — Cross-site Scripting (XSS)6 documents6 sources

Severity

7.5HIGH

EPSS

2.9%

top 13.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Microsoft.identitymodel Microsoft Microsoft .net Framework 2.0 Microsoft Microsoft .net Framework 3.0 +54 more

Timeline

PublishedJul 15

Latest updateMay 24

Description

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages55 packages

▶CVEListV5microsoft/windows20 versions+19

▶NVDmicrosoft/windowsr2, 1803, 1903+2

▶NVDmicrosoft/windows_106 versions+5

▶CVEListV5microsoft/windows_server17 versions+16

▶NVDmicrosoft/sharepoint_foundation2010, 2013+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-42m9-f9c6-jjrj: An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAM↗2022-05-24

▶

CVEList

CVE-2019-1006: An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAM↗2019-07-15

▶

📋Vendor Advisories

Microsoft

WCF/WIF SAML Token Authentication Bypass Vulnerability↗2019-07-09

▶

Red Hat

struts2: multiple XSS flaws↗2012-02-01

▶

💬Community

Bugzilla

CVE-2012-1006 struts2: multiple XSS flaws↗2012-02-07

▶

External resources

NVD MITRE

Affected products57

Microsoft .net Frameworkv2.0v3.0v3.5+9 more

Microsoft Identitymodelv7.0.0

Microsoft Microsoft .net Framework 2.0vService Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2vService Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2vService Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft Microsoft .net Framework 3.0vService Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2vService Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2vService Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft Microsoft .net Framework 3.5vWindows 10 Version 1607 for 32-bit SystemsvWindows 10 Version 1607 for x64-based SystemsvWindows 10 Version 1703 for 32-bit Systems+16 more

Microsoft Microsoft .net Framework 3.5 AND 4.7.2 ON Windows 10 Version 1809 FOR 32-bit Systemsvunspecified

Microsoft Microsoft .net Framework 3.5 AND 4.7.2 ON Windows 10 Version 1809 FOR X64-based Systemsvunspecified

Microsoft Microsoft .net Framework 3.5 AND 4.7.2 ON Windows Server 2019vunspecified

Microsoft Microsoft .net Framework 3.5 AND 4.7.2 ON Windows Server 2019 (server Core Installation)vunspecified

Microsoft Microsoft .net Framework 3.5 AND 4.8 ON Windows 10 Version 1809 FOR 32-bit Systemsvunspecified

Disclosure

PublishedJul 15, 2019

Latest updateMay 24, 2022