Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVwM3gtcjQ0OC1wYzYy
Improper Verification of Cryptographic Signature in PySAML2
Impact
All users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. pysaml2 <= 6.4.1 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default, xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only x509 certificates for the verification process of the SAML document signature.
Patches
Users should upgrade to pysaml2 v6.5.0.
Workarounds
No workaround provided at this point.
References
This issue has been reported in the past at the xmlsec1 mailing list:
https://www.aleksey.com/pipermail/xmlsec/2013/009717.html
Credits
- Brian Wolff
For more information
If you have any questions or comments about this advisory:
- Open an issue in pysaml2
- Email us at the incident-response address
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVwM3gtcjQ0OC1wYzYy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-5p3x-r448-pc62, CVE-2021-21239
References:
- https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62
- https://github.com/IdentityPython/pysaml2/commit/46578df0695269a16f1c94171f1429873f90ed99
- https://github.com/IdentityPython/pysaml2/releases/tag/v6.5.0
- https://pypi.org/project/pysaml2
- https://www.aleksey.com/pipermail/xmlsec/2013/009717.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-21239
- https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
- https://github.com/advisories/GHSA-5p3x-r448-pc62
Blast Radius: 16.8
Affected Packages
pypi:pysaml2
Dependent packages: 22Dependent repositories: 378
Downloads: 631,726 last month
Affected Version Ranges: < 6.5.0
Fixed in: 6.5.0
All affected versions: 0.4.3, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 3.0.0, 3.0.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.7.0, 4.8.0, 4.9.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.4.1
All unaffected versions: 6.5.0, 6.5.1, 6.5.2, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.4.2, 7.5.0