Information disclosure

🗓️ 13 Jan 2020 19:15:00Reported by PRIOn knowledge baseType

PySAML2 version before 5.0.0 is vulnerable to XML Signature Wrapping (XSW) due to lack of enveloped signature check, allowing wrong data to be used for verification of signed assertion

Reporter	Title	Published	Views	Family All 63
BDU FSTEC	The vulnerability of the authentication library for exchanging identification data according to the SAML2 standard, related to incorrect verification of the cryptographic signature of the data, allows a perpetrator to bypass the signature verification and gain access to protected information.	22 Dec 202000:00	–	bdu_fstec
CNVD	PySAML2 XML Signature Wrapper Vulnerability	14 Jan 202000:00	–	cnvd
CVE	CVE-2020-5390	13 Jan 202018:11	–	cve
Cvelist	CVE-2020-5390	13 Jan 202018:11	–	cvelist
Debian	[SECURITY] [DLA 2119-1] python-pysaml2 security update	26 Feb 202011:17	–	debian
Debian	[SECURITY] [DSA 4630-1] python-pysaml2 security update	21 Feb 202020:21	–	debian
Debian CVE	CVE-2020-5390	13 Jan 202018:11	–	debiancve
Tenable Nessus	Debian DLA-2119-1 : python-pysaml2 security update	27 Feb 202000:00	–	nessus
Tenable Nessus	Debian DSA-4630-1 : python-pysaml2 - security update	24 Feb 202000:00	–	nessus
Tenable Nessus	Ubuntu 16.04 LTS / 18.04 LTS : PySAML2 vulnerability (USN-4245-1)	22 Jan 202000:00	–	nessus

Source	Link
github	www.github.com/IdentityPython/pysaml2/releases/tag/v5.0.0
github	www.github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219fd6a290a00f2b6e
pypi	www.pypi.org/project/pysaml2/5.0.0/
github	www.github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
github	www.github.com/IdentityPython/pysaml2/releases
usn	www.usn.ubuntu.com/4245-1/
debian	www.debian.org/security/2020/dsa-4630
lists	www.lists.debian.org/debian-lts-announce/2020/02/msg00025.html

01 Feb 2023 17:08Current

7.4High risk

Vulners AI Score7.4

EPSS0.01207