CVE-2019-1006

EUVD-2019-9592
An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
microsoft.net_framework
2.0:sp2
microsoft.net_framework
3.0:sp2
microsoft.net_framework
3.5
microsoft.net_framework
3.5
microsoft.net_framework
4.7.2
microsoft.net_framework
3.5
microsoft.net_framework
4.8
microsoft.net_framework
3.5.1
microsoft.net_framework
4.5.2
microsoft.net_framework
4.6
microsoft.net_framework
4.6
microsoft.net_framework
4.6.1
microsoft.net_framework
4.6.2
microsoft.net_framework
4.6
microsoft.net_framework
4.6.1
microsoft.net_framework
4.6.2
microsoft.net_framework
4.7
microsoft.net_framework
4.7.1
microsoft.net_framework
4.7.2
microsoft.net_framework
4.8
microsoftidentitymodel
7.0.0
microsoftwindows_10
-
microsoftwindows_7
-
microsoftwindows_8.1
-
microsoftwindows_rt_8.1
-
microsoftwindows_server_2008
-
microsoftwindows_server_2012
-
microsoftwindows_server_2016
-
microsoftwindows_server_2019
-
𝑥
= Vulnerable software versions
Windows Releases
Platform
Version
Windows 10
(x64, x86)
KB4507458
1607 (x64, x86)
KB4506986
1607 (x64, x86)
KB4507460
1703 (x64, x86)
KB4507450
1703 (x64)
KB4506986
1703 (x86)
KB4506987
1709 (arm64, x64, x86)
KB4507455
1709 (x64)
KB4506986
1709 (x86)
KB4506988
1803 (arm64, x64, x86)
KB4507435
1803 (x64, x86)
KB4506989
1809 (arm64, x64, x86)
KB4507469
1809 (x64, x86)
KB4507419
1903 (arm64, x64, x86)
KB4507453
1903 (x64, x86)
KB4506991
Windows 7
Service Pack 1 (x64, x86)
KB4507456
Service Pack 1 (x64, x86)
KB4507420
Windows 8.1
(x64, x86)
KB4507448
(x64, x86)
KB4507457
(x64, x86)
KB4507422
(x64, x86)
KB4507413
Windows RT 8.1
All
KB4507448
All
KB4507422
Windows Server
1803 Server Core
KB4507435
1803 Server Core
KB4506989
1903 Server Core
KB4507453
1903 Server Core
KB4506991
Windows Server 2008
Service Pack 2 (x64, x86)
KB4507461
Service Pack 2 (x64, x86)
KB4507423
Service Pack 2 Server Core (x64, x86)
KB4507461
Windows Server 2008 R2
Service Pack 1 (x64)
KB4507456
Service Pack 1 (x64)
KB4507420
Service Pack 1 Server Core (x64)
KB4507456
Service Pack 1 Server Core (x64)
KB4507420
Windows Server 2012
Server Core
KB4507464
Server Core
KB4507421
Standard
KB4507464
Standard
KB4507421
Windows Server 2012 R2
Server Core
KB4507448
Server Core
KB4507457
Server Core
KB4507422
Server Core
KB4507413
Standard
KB4507448
Standard
KB4507457
Standard
KB4507422
Standard
KB4507413
Windows Server 2016
Server Core
KB4507460
Server Core
KB4506986
Standard
KB4507460
Standard
KB4506986
Windows Server 2019
Server Core
KB4507469
Server Core
KB4507419
Standard
KB4507469
Standard
KB4507419
Common Weakness Enumeration
References
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1006
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1006