6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
pysaml2 improperly verifies cryptographic signatures. The default CryptoBackendXmlSec1
using the xmlsec1
binary incorrectly accepts any type of key found in the given document, instead of explicitly allowing only x509
certificates for verification.
CPE | Name | Operator | Version |
---|---|---|---|
pysaml2 | le | 6.4.1 | |
python-pysaml2:stretch | eq | 3.0.0-5+deb9u1 | |
python-pysaml2:bionic | eq | 4.0.2-0ubuntu3 | |
python-pysaml2:bionic | eq | 4.0.2-0ubuntu3.1 |
github.com/advisories/GHSA-5p3x-r448-pc62
github.com/IdentityPython/pysaml2/commit/46578df0695269a16f1c94171f1429873f90ed99
github.com/IdentityPython/pysaml2/commit/751dbf50a51131b13d55989395f9b115045f9737
github.com/IdentityPython/pysaml2/releases/tag/v6.5.0
github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62
lists.debian.org/debian-lts-announce/2021/02/msg00038.html
pypi.org/project/pysaml2
www.aleksey.com/pipermail/xmlsec/2013/009717.html
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N