GHSA-2288-8H3R-CQGG CoreWCF: SPNEGO SecurityContextToken proof key wrapped without confidentiality
Impact When the proof key recovered from the RSTR can be observed by a party that is not the legitimate client, that party can impersonate the authenticated Windows principal for the lifetime of the SCT default 10 hours and decrypt or forge any subsequent WS‑SecureConversation traffic that uses...