CVE-2019-1006

Published: Jul 15, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.

Affected (37)

Products: Microsoft: .net Framework, Identitymodel, Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server, Windows 10, Windows 7, Windows 8.1, Windows Rt 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019

Microsoft

13 products

.net Framework

Identitymodel

Sharepoint Enterprise Server

Sharepoint Foundation

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 2.0 sp2
Microsoft .net Framework	Version 3.0 sp2

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 3.5

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 3.5.1

Configuration F

1 vulnerable

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 4.5.2

Configuration I

6 vulnerable

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 4.6.1
Microsoft .net Framework	Version 4.6.2
Microsoft .net Framework	Version 4.6
Microsoft .net Framework	Version 4.7.1
Microsoft .net Framework	Version 4.7.2
Microsoft .net Framework	Version 4.7

Configuration J

1 vulnerable

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 4.8

Configuration K

25 vulnerable

Vulnerable Software	Affected Versions
Microsoft Identitymodel	Version 7.0.0
Microsoft Sharepoint Enterprise Server	Version 2013 sp1
Microsoft Sharepoint Enterprise Server	Version 2016
Microsoft Sharepoint Foundation	Version 2010 sp2
Microsoft Sharepoint Foundation	Version 2013 sp1
Microsoft Sharepoint Server	Version 2019
Microsoft Windows 10	All versions
Microsoft Windows 10	Version 1607
Microsoft Windows 10	Version 1703
Microsoft Windows 10	Version 1709
Microsoft Windows 10	Version 1803
Microsoft Windows 10	Version 1809
Microsoft Windows 10	Version 1903
Microsoft Windows 7	All versions
Microsoft Windows 8.1	All versions
Microsoft Windows Rt 8.1	All versions
Microsoft Windows Server 2008	All versions
Microsoft Windows Server 2008	Version r2 sp1
Microsoft Windows Server 2008	Version r2 sp1
Microsoft Windows Server 2012	All versions
Microsoft Windows Server 2012	Version r2
Microsoft Windows Server 2016	All versions
Microsoft Windows Server 2016	Version 1803
Microsoft Windows Server 2016	Version 1903
Microsoft Windows Server 2019	All versions

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (2)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1006

Source: secure@microsoft.com

PatchVendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1006

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.