VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 2, 2018· Updated Aug 5, 2024

CVE-2017-1000433

CVE-2017-1000433

Description

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

pysaml2 <=4.4.0 accepts any password when Python optimizations are enabled, allowing authentication bypass.

## Vulnerability pysaml2 versions 4.4.0 and older accept any password when run with Python optimizations enabled (e.g., PYTHONOPTIMIZE or -O flag). This occurs because the password validation logic relied on assert statements, which are removed during optimization, causing the check to be skipped entirely [1][2].

Exploitation

An attacker can log in as any user without knowing the correct password. The only prerequisite is that the application using pysaml2 is running with Python optimizations enabled. No authentication or user interaction is required beyond submitting a login request with arbitrary password [1][2].

Impact

Successful exploitation results in complete authentication bypass. The attacker gains access to any user account within the SAML2-enabled application, potentially leading to unauthorized access to sensitive data or actions [1][2].

Mitigation

The vulnerability is fixed in pysaml2 version 4.5.0. Users should upgrade immediately. If upgrading is not possible, ensure that Python optimizations are disabled (i.e., avoid using -O or PYTHONOPTIMIZE environment variable) [1][2]. No known workaround exists that preserves optimization while fixing the bug.

References
  1. Quick fix for the authentication bypass due to optimizations #451 by jkakavas · Pull Request #454 · IdentityPython/pysaml2
  2. CVE-2017-1000433 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pysaml2PyPI
< 4.5.04.5.0

Affected products

16

Patches

1
6312a41e0379

Quick fix for the authentication bypass due to optimizations #451

https://github.com/IdentityPython/pysaml2Ioannis KakavasSep 12, 2017via ghsa
commit
1 file changed · +3 2
  • src/saml2/authn.py+3 2 modified
    @@ -146,7 +146,8 @@ def __call__(self, cookie=None, policy_url=None, logo_url=None,
         return resp
 
     def _verify(self, pwd, user):
-        assert is_equal(pwd, self.passwd[user])
+        if not is_equal(pwd, self.passwd[user]):
+            raise ValueError("Wrong password")
 
     def verify(self, request, **kwargs):
         """
@@ -176,7 +177,7 @@ def verify(self, request, **kwargs):
             return_to = create_return_url(self.return_to, _dict["query"][0],
                                           **{self.query_param: "true"})
             resp = Redirect(return_to, headers=[cookie])
-        except (AssertionError, KeyError):
+        except (ValueError, KeyError):
             resp = Unauthorized("Unknown user or wrong password")
 
         return resp

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.