Veracode Vulnerability DatabaseVERACODE:29101Improper Verification Of Cryptographic Signature
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
pysaml2 improperly verifies cryptographic signatures. The default CryptoBackendXmlSec1 using the xmlsec1 binary incorrectly accepts any type of key found in the given document, instead of explicitly allowing only x509 certificates for verification.
| CPE | Name | Operator | Version |
|---|---|---|---|
| pysaml2 | le | 6.4.1 | |
| python-pysaml2:stretch | eq | 3.0.0-5+deb9u1 | |
| python-pysaml2:bionic | eq | 4.0.2-0ubuntu3 | |
| python-pysaml2:bionic | eq | 4.0.2-0ubuntu3.1 |
References
github.com/advisories/GHSA-5p3x-r448-pc62
github.com/IdentityPython/pysaml2/commit/46578df0695269a16f1c94171f1429873f90ed99
github.com/IdentityPython/pysaml2/commit/751dbf50a51131b13d55989395f9b115045f9737
github.com/IdentityPython/pysaml2/releases/tag/v6.5.0
github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62
lists.debian.org/debian-lts-announce/2021/02/msg00038.html
pypi.org/project/pysaml2
www.aleksey.com/pipermail/xmlsec/2013/009717.html
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N