CoreWCF Vulnerability Affects NetFraming Based Services
CVE-2024-28252

7.5HIGH

Key Information:

Vendor

Corewcf

Status
Vendor
CVE Published:
15 March 2024

What is CVE-2024-28252?

CoreWCF, a .NET Core port of Windows Communication Foundation (WCF), is affected by a vulnerability that can lead to excessive resource consumption. Specifically, when a client connects to a NetFraming based CoreWCF service and does not send any data, the service will remain in a waiting state indefinitely for the client to complete the session handshake. Additionally, if a session is established but the client does not send requests within the timeout period set in the binding configuration, the connection fails to close properly. This behavior is especially present in NetTcpBinding, NetNamedPipeBinding, and UnixDomainSocketBinding. Users are urged to upgrade to fixed versions, v1.4.2 or v1.5.2, as there are no workarounds available.

Affected Version(s)

CoreWCF >= 1.5.0, < 1.5.2 < 1.5.0, 1.5.2

CoreWCF < 1.4.2 < 1.4.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.