ALT-PU-2018-3721-1 — python-module-pysaml2

CVE-2016-10149

HIGH7.5

XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.

Published: 2017-03-24Modified: 2025-04-20

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

CVE-2017-1000246

MEDIUM5.3

Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.

Published: 2017-11-17Modified: 2025-04-20

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

CVE-2017-1000433

HIGH8.1

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

Published: 2018-01-02Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-924m-4pmx-c67h

CRITICAL9.2

pysaml2 Improper Authentication vulnerability

Published: 2018-07-13Modified: 2024-10-22

CVSS 3.xCRITICAL 9.2

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0CRITICAL 9.2

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GHSA-c2vx-49jm-h3f6

HIGH8.7

Pysaml2 does not sanitize XML responses

Published: 2018-07-16Modified: 2024-10-22

CVSS 3.xHIGH 8.7

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0HIGH 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

GHSA-cq94-qf6q-mf2h

MEDIUM6.3

Pysaml2 improperly initializes encryption vector

Published: 2018-07-16Modified: 2024-10-14

CVSS 3.xMEDIUM 6.3

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS 4.0MEDIUM 6.3

CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

Package update python-module-pysaml2 in branch sisyphus

Closed issues (6)

XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.

Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

pysaml2 Improper Authentication vulnerability

Pysaml2 does not sanitize XML responses

Pysaml2 improperly initializes encryption vector