CVE-2013-1337

Microsoft .NET Framework 4.5 does not properly create policy requirements for custom Windows Communication Foundation (WCF) endpoint authentication in certain situations involving passwords over HTTPS, which allows remote attackers to bypass authentication by sending queries to an endpoint, aka Authentication Bypass Vulnerability.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/114.html
• https://cwe.mitre.org/data/definitions/115.html
• https://cwe.mitre.org/data/definitions/151.html
• https://cwe.mitre.org/data/definitions/194.html
• https://cwe.mitre.org/data/definitions/22.html
• https://cwe.mitre.org/data/definitions/57.html
• https://cwe.mitre.org/data/definitions/593.html
• https://cwe.mitre.org/data/definitions/633.html
• https://cwe.mitre.org/data/definitions/650.html
• https://cwe.mitre.org/data/definitions/94.html

References

• http://www.us-cert.gov/ncas/alerts/TA13-134A
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-040
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16741
• http://www.us-cert.gov/ncas/alerts/TA13-134A
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-040
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16741