CoreWCF Vulnerability Affects NetFraming Based Services
CVE-2024-28252
What is CVE-2024-28252?
CoreWCF, a .NET Core port of Windows Communication Foundation (WCF), is affected by a vulnerability that can lead to excessive resource consumption. Specifically, when a client connects to a NetFraming based CoreWCF service and does not send any data, the service will remain in a waiting state indefinitely for the client to complete the session handshake. Additionally, if a session is established but the client does not send requests within the timeout period set in the binding configuration, the connection fails to close properly. This behavior is especially present in NetTcpBinding, NetNamedPipeBinding, and UnixDomainSocketBinding. Users are urged to upgrade to fixed versions, v1.4.2 or v1.5.2, as there are no workarounds available.
Affected Version(s)
CoreWCF >= 1.5.0, < 1.5.2 < 1.5.0, 1.5.2
CoreWCF < 1.4.2 < 1.4.2
