Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTkyNG0tNHBteC1jNjdo
pysaml2 Improper Authentication vulnerability
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
Permalink: https://github.com/advisories/GHSA-924m-4pmx-c67hJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTkyNG0tNHBteC1jNjdo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: about 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-924m-4pmx-c67h, CVE-2017-1000433
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000433
- https://github.com/rohe/pysaml2/issues/451
- https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
- https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
- https://security.gentoo.org/glsa/201801-11
- https://github.com/IdentityPython/pysaml2/pull/454
- https://github.com/IdentityPython/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5
- https://github.com/advisories/GHSA-924m-4pmx-c67h
Blast Radius: 20.9
Affected Packages
pypi:pysaml2
Dependent packages: 22Dependent repositories: 378
Downloads: 631,726 last month
Affected Version Ranges: < 4.5.0
Fixed in: 4.5.0
All affected versions: 0.4.3, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 3.0.0, 3.0.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.2.0, 4.3.0, 4.4.0
All unaffected versions: 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.7.0, 4.8.0, 4.9.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.4.2, 7.5.0