High severityNVD Advisory· Published Jan 13, 2020· Updated Aug 4, 2024

CVE-2020-5390

Description

PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PySAML2 before 5.0.0 is vulnerable to XML Signature Wrapping, allowing attackers to bypass signature verification on SAML assertions.

Vulnerability

Overview PySAML2 versions prior to 5.0.0 fail to enforce that a SAML document's signature is enveloped, leaving it susceptible to XML Signature Wrapping (XSW) attacks [1][2]. The signature verification process does not check that the signature's Reference URI points to the same element being signed, so an attacker can embed a valid signature on one element while substituting a different element as the payload [3].

Exploitation

An attacker with network access can craft a SAML assertion where the signature validates correctly but the actual data consumed (e.g., user identity attributes) comes from a different part of the document [4]. No authentication is required to send a malicious SAML response to a relying party that uses an affected version of PySAML2. The attack exploits the XML Signature Wrapping technique, which is well-known and leveraged in SAML-based systems.

Impact

Successful exploitation allows an attacker to forge arbitrary SAML assertions, potentially gaining unauthorized access to applications or services that rely on PySAML2 for authentication. This could lead to privilege escalation, data exposure, or account takeover, depending on the integration [2][4].

Mitigation

The vulnerability is fixed in PySAML2 version 5.0.0 [1]. The fix adds strict validation of envelope constraints per SAML Core 5.4 XML Signature Profile, ensuring that signatures only reference the enclosing element's ID [3]. Users should upgrade immediately; no workaround is available.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pysaml2PyPI	< 5.0.0	5.0.0

Affected products

265

PySAML2/PySAML2description
ghsa-coords264 versions
pkg:pypi/pysaml2 pkg:rpm/opensuse/python-pysaml2&distro=openSUSE%20Tumbleweed pkg:rpm/suse/ansible1&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ansible1&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/ardana-ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-cassandra&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-cluster&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cluster&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-input-model&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-input-model&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-logging&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-mq&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-osconfig&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/caasp-openstack-heat-templates&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/caasp-openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/caasp-openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/documentation-hpe-helion-openstack-installation&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-operations&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-opsconsole&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-planning&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-security&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-user&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-suse-openstack-cloud-deployment&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-installation&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-operations&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-opsconsole&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-planning&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-security&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/keepalived&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/kibana&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/memcached&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/monasca-installer&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-dashboard&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-dashboard-theme-HPE&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-dashboard-theme-SUSE&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-heat-templates&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-ironic-python-agent&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-ironic-python-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-manila-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-monasca-agent&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-monasca-installer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-neutron-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-fwaas&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-fwaas-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-octavia-amphora-image&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-tempest&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-amqp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-apicapi&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-apicapi&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-apicapi&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Flask&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Flask&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Flask&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-GitPython&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-GitPython&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-keystoneauth1&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-keystoneauth1&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-keystoneauth1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.messaging&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-psql2mysql&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-psutil&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-pyroute2&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-pysaml2&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-pytest&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-pytest&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-tooz&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-tooz&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-tooz&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-waitress&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rabbitmq-server&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-activeresource&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-activeresource&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-json-1_7&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-json-1_7&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/spark&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/spark&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/storm&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/storm&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/storm&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/zookeeper&distro=SUSE%20OpenStack%20Cloud%207
< 5.0.0+ 263 more
- (no CPE)range: < 5.0.0
- (no CPE)range: < 7.4.2-1.2
- (no CPE)range: < 1.9.6-7.3.1
- (no CPE)range: < 1.9.6-7.3.1
- (no CPE)range: < 2.4.6.0-3.9.1
- (no CPE)range: < 2.2.3.0-12.2
- (no CPE)range: < 2.4.6.0-3.9.1
- (no CPE)range: < 2.4.6.0-3.9.1
- (no CPE)range: < 8.0+git.1589740980.6c3bcdc-3.73.1
- (no CPE)range: < 8.0+git.1589740980.6c3bcdc-3.73.1
- (no CPE)range: < 9.0+git.1600802664.7e480a2-3.6.2
- (no CPE)range: < 8.0+git.1585685203.3e71e49-3.36.1
- (no CPE)range: < 8.0+git.1585685203.3e71e49-3.36.1
- (no CPE)range: < 8.0+git.1586539529.b7d295f-3.21.1
- (no CPE)range: < 8.0+git.1586539529.b7d295f-3.21.1
- (no CPE)range: < 8.0+git.1589740934.0e0ad61-3.39.1
- (no CPE)range: < 8.0+git.1589740934.0e0ad61-3.39.1
- (no CPE)range: < 8.0+git.1591194866.b7375d0-3.24.1
- (no CPE)range: < 8.0+git.1591194866.b7375d0-3.24.1
- (no CPE)range: < 8.0+git.1589715269.62ad6df-3.22.1
- (no CPE)range: < 8.0+git.1589715269.62ad6df-3.22.1
- (no CPE)range: < 9.0+git.1605174486.a78ddce-3.19.2
- (no CPE)range: < 8.0+git.1590756744.ba84abc-3.42.1
- (no CPE)range: < 8.0+git.1590756744.ba84abc-3.42.1
- (no CPE)range: < 8.0+git.1590100427.cf4cc8f-3.29.1
- (no CPE)range: < 8.0+git.1590100427.cf4cc8f-3.29.1
- (no CPE)range: < 8.0+git.1587034587.eac37b8-3.45.1
- (no CPE)range: < 8.0+git.1587034587.eac37b8-3.45.1
- (no CPE)range: < 9.0+git.1601621747.a87e5a0-3.22.2
- (no CPE)range: < 9.0+git.1603378983.fc0bca9-3.19.2
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-4.18.1
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-4.18.1
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-4.18.1
- (no CPE)range: < 4.0+git.1580209654.1d112d31f-9.66.5
- (no CPE)range: < 5.0+git.1593156248.55bbdb26d-3.41.2
- (no CPE)range: < 6.0+git.1606314264.bf9ada813-3.31.2
- (no CPE)range: < 4.0+git.1585316203.d6ad2c8-4.52.4
- (no CPE)range: < 4.0+git.1589804581.9972163f0-9.71.4
- (no CPE)range: < 5.0+git.1593085772.64c4ab43c-4.40.2
- (no CPE)range: < 6.0+git.1604573541.bb18c172d-3.28.3
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 4.6.5-4.9.1
- (no CPE)range: < 4.6.5-1.14.1
- (no CPE)range: < 4.6.5-4.9.1
- (no CPE)range: < 6.7.4-3.20.1
- (no CPE)range: < 4.6.5-4.9.1
- (no CPE)range: < 6.7.4-3.20.1
- (no CPE)range: < 1.3.8-4.3.3
- (no CPE)range: < 1.3.8-4.3.3
- (no CPE)range: < 2.0.19-1.8.1
- (no CPE)range: < 4.6.3-3.3.1
- (no CPE)range: < 4.6.3-5.1
- (no CPE)range: < 4.6.3-3.3.1
- (no CPE)range: < 4.6.3-3.3.1
- (no CPE)range: < 1.5.17-3.6.1
- (no CPE)range: < 20180608_12.47-12.1
- (no CPE)range: < 13.0.10~dev20-3.28.2
- (no CPE)range: < 13.0.10~dev20-3.28.2
- (no CPE)range: < 12.0.5~dev3-3.26.1
- (no CPE)range: < 12.0.5~dev3-3.26.1
- (no CPE)range: < 12.0.5~dev3-3.26.1
- (no CPE)range: < 8+git.1523473653.6599ec8-3.3.1
- (no CPE)range: < 2016.2-5.12.4
- (no CPE)range: < 11.0.4~dev4-3.19.2
- (no CPE)range: < 11.0.4~dev4-3.19.2
- (no CPE)range: < 12.0.1~dev2-3.3.4
- (no CPE)range: < 12.0.1~dev2-3.3.4
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.15.1
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.15.1
- (no CPE)range: < 0.0.0+git.1605509190.64f020b6-3.9.3
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.15.1
- (no CPE)range: < 0.0.0+git.1605509190.64f020b6-3.9.3
- (no CPE)range: < 12.0.1~dev3-3.3.4
- (no CPE)range: < 12.0.1~dev3-3.3.4
- (no CPE)range: < 3.3.4~dev6-3.19.4
- (no CPE)range: < 3.3.4~dev6-3.19.4
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 3.0.1~dev30-4.12.2
- (no CPE)range: < 7.4.2~dev57-4.30.2
- (no CPE)range: < 7.4.2~dev57-4.30.2
- (no CPE)range: < 3.0.1~dev30-4.12.3
- (no CPE)range: < 2.2.6~dev4-3.18.1
- (no CPE)range: < 2.2.6~dev4-3.18.1
- (no CPE)range: < 2.2.6~dev4-3.18.1
- (no CPE)range: < 20190923_16.32-3.12.1
- (no CPE)range: < 20190923_16.32-3.12.1
- (no CPE)range: < 20190923_16.32-3.12.1
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 13.0.8~dev135-3.31.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 13.0.8~dev135-3.31.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 9.0.2~dev5-4.9.3
- (no CPE)range: < 9.0.2~dev5-4.9.4
- (no CPE)range: < 12.0.1~dev5-3.19.4
- (no CPE)range: < 12.0.1~dev5-3.19.4
- (no CPE)range: < 13.0.2~dev6-3.9.2
- (no CPE)range: < 13.0.2~dev6-3.9.2
- (no CPE)range: < 14.0.11~dev13-4.40.2
- (no CPE)range: < 18.3.1~dev77-3.31.2
- (no CPE)range: < 18.3.1~dev77-3.31.2
- (no CPE)range: < 14.0.11~dev13-4.40.2
- (no CPE)range: < 0.1.4-3.12.2
- (no CPE)range: < 0.1.4-3.12.2
- (no CPE)range: < 0.1.4-3.12.2
- (no CPE)range: < 12.2.1~a0~dev177-4.9.1
- (no CPE)range: < 2.4.2-3.12.1
- (no CPE)range: < 2.4.2-3.12.1
- (no CPE)range: < 2.4.2-3.12.1
- (no CPE)range: < 1.6.0-3.6.1
- (no CPE)range: < 1.6.0-3.6.1
- (no CPE)range: < 1.6.0-3.6.1
- (no CPE)range: < 1.11.23-3.15.1
- (no CPE)range: < 1.8.19-3.23.1
- (no CPE)range: < 1.11.23-3.15.1
- (no CPE)range: < 1.11.23-3.15.1
- (no CPE)range: < 0.12.1-3.3.1
- (no CPE)range: < 0.12.1-3.3.1
- (no CPE)range: < 0.12.1-3.3.1
- (no CPE)range: < 2.1.8-3.3.1
- (no CPE)range: < 2.1.8-3.3.1
- (no CPE)range: < 2.10.1-3.3.3
- (no CPE)range: < 2.10.1-3.3.3
- (no CPE)range: < 3.1.2~dev2-3.3.1
- (no CPE)range: < 3.1.2~dev2-3.3.1
- (no CPE)range: < 3.1.2~dev2-3.3.1
- (no CPE)range: < 5.30.8-3.11.1
- (no CPE)range: < 5.30.8-3.11.1
- (no CPE)range: < 5.30.8-3.11.1
- (no CPE)range: < 4.2.1-3.5.1
- (no CPE)range: < 2.8.1-4.12.1
- (no CPE)range: < 4.2.1-3.5.1
- (no CPE)range: < 4.2.1-3.5.1
- (no CPE)range: < 0.5.0+git.1589351878.4ef877c-1.12.1
- (no CPE)range: < 5.2.2-3.3.1
- (no CPE)range: < 1.2.1-21.1
- (no CPE)range: < 5.2.2-3.3.1
- (no CPE)range: < 5.2.2-3.3.1
- (no CPE)range: < 1.8.1-11.12.1
- (no CPE)range: < 0.4.21-3.3.1
- (no CPE)range: < 0.4.21-3.3.1
- (no CPE)range: < 0.4.21-3.3.1
- (no CPE)range: < 4.0.2-5.6.1
- (no CPE)range: < 4.0.2-3.17.1
- (no CPE)range: < 4.0.2-5.6.1
- (no CPE)range: < 4.5.0-4.3.3
- (no CPE)range: < 4.0.2-5.6.1
- (no CPE)range: < 4.5.0-4.3.3
- (no CPE)range: < 3.7.4-3.3.3
- (no CPE)range: < 3.7.4-3.3.3
- (no CPE)range: < 1.58.1-3.3.1
- (no CPE)range: < 1.58.1-3.3.1
- (no CPE)range: < 1.58.1-3.3.1
- (no CPE)range: < 1.23-3.15.3
- (no CPE)range: < 1.23-3.15.3
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 3.4.4-3.16.1
- (no CPE)range: < 7.20180803-3.18.3
- (no CPE)range: < 9.20200917-3.24.3
- (no CPE)range: < 9.20200917-3.24.3
- (no CPE)range: < 4.0.0-3.3.1
- (no CPE)range: < 4.0.0-3.3.1
- (no CPE)range: < 3.9.2-7.20.1
- (no CPE)range: < 3.9.2-3.12.1
- (no CPE)range: < 1.7.7-3.3.1
- (no CPE)range: < 1.7.7-3.3.1
- (no CPE)range: < 2.16.0-4.6.1
- (no CPE)range: < 2.16.0-3.9.1
- (no CPE)range: < 2.2.3-5.3.3
- (no CPE)range: < 2.2.3-5.3.3
- (no CPE)range: < 1.1.3-3.3.1
- (no CPE)range: < 1.1.3-3.3.1
- (no CPE)range: < 1.1.3-3.3.1
- (no CPE)range: < 5.1.1~dev7-12.26.2
- (no CPE)range: < 5.1.1~dev7-12.26.2
- (no CPE)range: < 5.0.2~dev3-12.27.2
- (no CPE)range: < 5.0.2~dev3-12.27.2
- (no CPE)range: < 7.0.1~dev24-3.21.2
- (no CPE)range: < 9.0.8~dev7-12.24.2
- (no CPE)range: < 9.0.8~dev7-12.24.2
- (no CPE)range: < 11.2.3~dev23-14.27.2
- (no CPE)range: < 11.2.3~dev23-14.27.2
- (no CPE)range: < 13.0.10~dev20-3.24.2
- (no CPE)range: < 5.0.3~dev7-12.25.2
- (no CPE)range: < 5.0.3~dev7-12.25.2
- (no CPE)range: < 7.0.2~dev2-3.21.2
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.22.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.22.1
- (no CPE)range: < 15.0.3~dev3-12.25.1
- (no CPE)range: < 15.0.3~dev3-12.25.1
- (no CPE)range: < 17.0.1~dev30-3.19.2
- (no CPE)range: < 9.0.8~dev22-12.27.1
- (no CPE)range: < 9.0.8~dev22-12.27.1
- (no CPE)range: < 11.0.4~dev4-3.21.2
- (no CPE)range: < 12.0.5~dev3-14.30.1
- (no CPE)range: < 14.1.1~dev7-4.23.2
- (no CPE)range: < 12.0.5~dev3-14.30.1
- (no CPE)range: < 9.1.8~dev8-12.27.2
- (no CPE)range: < 9.1.8~dev8-12.27.2
- (no CPE)range: < 11.1.5~dev16-4.19.2
- (no CPE)range: < 12.0.4~dev11-11.28.2
- (no CPE)range: < 12.0.4~dev11-11.28.2
- (no CPE)range: < 14.2.1~dev4-3.21.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.26.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.26.2
- (no CPE)range: < 7.2.1~dev1-4.21.2
- (no CPE)range: < 5.1.1~dev5-12.31.2
- (no CPE)range: < 5.1.1~dev5-12.31.2
- (no CPE)range: < 7.4.2~dev57-3.25.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.22.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.22.2
- (no CPE)range: < 1.8.2~dev3-3.21.2
- (no CPE)range: < 2.2.2~dev1-11.22.3
- (no CPE)range: < 2.2.2~dev1-11.22.3
- (no CPE)range: < 2.7.1~dev10-3.19.2
- (no CPE)range: < 4.0.2~dev2-12.22.1
- (no CPE)range: < 4.0.2~dev2-12.22.1
- (no CPE)range: < 11.0.9~dev65-13.30.2
- (no CPE)range: < 11.0.9~dev65-13.30.2
- (no CPE)range: < 13.0.8~dev135-6.23.2
- (no CPE)range: < 16.1.9~dev61-11.28.2
- (no CPE)range: < 16.1.9~dev61-11.28.2
- (no CPE)range: < 18.3.1~dev77-3.23.2
- (no CPE)range: < 1.0.6~dev3-12.27.2
- (no CPE)range: < 1.0.6~dev3-12.27.2
- (no CPE)range: < 3.2.3~dev7-4.21.2
- (no CPE)range: < 7.0.5~dev4-11.26.2
- (no CPE)range: < 7.0.5~dev4-11.26.2
- (no CPE)range: < 9.0.2~dev15-3.21.2
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.18.1
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.18.1
- (no CPE)range: < 2.19.2~dev48-2.16.2
- (no CPE)range: < 8.0.2~dev2-11.26.1
- (no CPE)range: < 8.0.2~dev2-11.26.1
- (no CPE)range: < 3.4.10-6.1

Patches

f27c7e7a7010

Release version 5.0.0

https://github.com/IdentityPython/pysaml2Ivan KanakarakisJan 13, 2020via ghsa

commit

2 files changed · +22 −1

CHANGELOG.md+21 −0 modified

@@ -1,5 +1,26 @@
 # Changelog
 
+## 5.0.0 (2020-01-13)
+
+- Fix XML Signature Wrapping (XSW) vulnerabilities - CVE-2020-5390
+- Add freshness period feature for MetaDataMDX
+- Fix bug in duration calculation in time_util library
+- Fix ipv6 validation to accommodate for addresses with brackets
+- Fix xmlsec temporary files deletions
+- Add method to get supported algorithms from metadata
+- Add mdstore method to extract assurance certifications
+- Add mdstore method to extract contact_person data
+- Add attribute mappings from the Swiss eduPerson Schema
+- Make AESCipher and Fernet interfaces compatible
+- Remove deprecated saml2.aes module
+- Remove deprecated saml2.extensions.ui module
+- Replace deprecated mongodb operations
+- Rename ToOld error to TooOld
+- Fix pytest warnings
+- Mock tests that need a network connection
+- Start dropping python2 support
+
+
 ## 4.9.0 (2019-11-03)
 
 - Add mdstore methods to extract mdui uiinfo elements

VERSION+1 −1 modified
```
@@ -1 +1 @@
-4.9.0
+5.0.0
```

5e9d5acbcd8a

Fix XML Signature Wrapping (XSW) vulnerabilities

https://github.com/IdentityPython/pysaml2Ivan KanakarakisJan 3, 2020via ghsa

commit

3 files changed · +99 −0

src/saml2/sigver.py+49 −0 modified

@@ -1476,6 +1476,55 @@ def _check_signature(self, decoded_xml, item, node_name=NODE_NAME, origdoc=None,
         if not certs:
             raise MissingKey(_issuer)
 
+        # saml-core section "5.4 XML Signature Profile" defines constrains on the
+        # xmldsig-core facilities. It explicitly dictates that enveloped signatures
+        # are the only signatures allowed. This mean that:
+        # * Assertion/RequestType/ResponseType elements must have an ID attribute
+        # * signatures must have a single Reference element
+        # * the Reference element must have a URI attribute
+        # * the URI attribute contains an anchor
+        # * the anchor points to the enclosing element's ID attribute
+        references = item.signature.signed_info.reference
+        signatures_must_have_a_single_reference_element = len(references) == 1
+        the_Reference_element_must_have_a_URI_attribute = (
+            signatures_must_have_a_single_reference_element
+            and hasattr(references[0], "uri")
+        )
+        the_URI_attribute_contains_an_anchor = (
+            the_Reference_element_must_have_a_URI_attribute
+            and references[0].uri.startswith("#")
+            and len(references[0].uri) > 1
+        )
+        the_anchor_points_to_the_enclosing_element_ID_attribute = (
+            the_URI_attribute_contains_an_anchor
+            and references[0].uri == "#{id}".format(id=item.id)
+        )
+        validators = {
+            "signatures must have a single reference element": (
+                signatures_must_have_a_single_reference_element
+            ),
+            "the Reference element must have a URI attribute": (
+                the_Reference_element_must_have_a_URI_attribute
+            ),
+            "the URI attribute contains an anchor": (
+                the_URI_attribute_contains_an_anchor
+            ),
+            "the anchor points to the enclosing element ID attribute": (
+                the_anchor_points_to_the_enclosing_element_ID_attribute
+            ),
+        }
+        if not all(validators.values()):
+            error_context = {
+                "message": "Signature failed to meet constraints on xmldsig",
+                "validators": validators,
+                "item ID": item.id,
+                "reference URI": item.signature.signed_info.reference[0].uri,
+                "issuer": _issuer,
+                "node name": node_name,
+                "xml document": decoded_xml,
+            }
+            raise SignatureError(error_context)
+
         verified = False
         last_pem_file = None

tests/saml2_response_xsw.xml+6 −0 added

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://lingon.catalogix.se:8087/" ID="id-vqOQ72JCppXaBWnBE" InResponseTo="id12" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status><ns1:Assertion ID="id-SPOOFED_ASSERTION" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns2:Signature Id="Signature2"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-Aa9IWfDxJVIX6GQye"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>EWBvQUlrwQbtrAjuUXkSBAVsZ50=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>m4zRgTWleMcx1dFboeiYlbiDigHWAVhHVa+GLN++ELNMFDutuzBxc3tu6okyaNQGW3leu32wzbfdpb5+3RlpGoKj2wPX570/EMJj4uw91XfXsZfpNP+5GlgNT8w/elDmBXhG/KwmSO477Imk0szKovTBMVHmo3QOd+ba//dVsJE=</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ANOTHER_ID</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ADMIN</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">HACKER@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
+<XSW_ATTACK>
+<ns1:Assertion ID="id-Aa9IWfDxJVIX6GQye" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ac5b22bb8eac4a26ed07a55432a0fe0da243f6e911aa614cff402c44d7cdec36</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">member</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">foo@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
+</XSW_ATTACK>
+</ns0:Response>

tests/test_xsw.py+44 −0 added

@@ -0,0 +1,44 @@
+from datetime import datetime
+from unittest.mock import Mock
+from unittest.mock import patch
+
+from saml2.config import config_factory
+from saml2.response import authn_response
+from saml2.sigver import SignatureError
+
+from dateutil import parser
+
+from pytest import raises
+
+from pathutils import dotname
+from pathutils import full_path
+
+
+XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml")
+
+
+class TestAuthnResponse:
+    def setup_class(self):
+        self.conf = config_factory("sp", dotname("server_conf"))
+        self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
+
+    @patch('saml2.response.validate_on_or_after', return_value=True)
+    def test_verify_signed_xsw(self, mock_validate_on_or_after):
+        self.ar.issue_instant_ok = Mock(return_value=True)
+
+        with open(XML_RESPONSE_XSW) as fp:
+            xml_response = fp.read()
+
+        self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
+        self.ar.timeslack = 10000
+        self.ar.loads(xml_response, decode=False)
+
+        assert self.ar.came_from == 'http://localhost:8088/sso'
+        assert self.ar.session_id() == "id12"
+        assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
+
+        with raises(SignatureError):
+            self.ar.verify()
+
+        assert self.ar.ava is None
+        assert self.ar.name_id is None

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qf7v-8hj3-4xw7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-5390ghsaADVISORY
usn.ubuntu.com/4245-1/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2020/dsa-4630ghsavendor-advisoryx_refsource_DEBIANWEB
github.com/IdentityPython/pysaml2/blob/master/CHANGELOG.mdghsaWEB
github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25ghsax_refsource_CONFIRMWEB
github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219fd6a290a00f2b6eghsax_refsource_CONFIRMWEB
github.com/IdentityPython/pysaml2/releases/tag/v5.0.0ghsax_refsource_CONFIRMWEB
github.com/pypa/advisory-database/tree/main/vulns/pysaml2/PYSEC-2020-94.yamlghsaWEB
lists.debian.org/debian-lts-announce/2020/02/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
pypi.org/project/pysaml2/5.0.0ghsaWEB
pypi.org/project/pysaml2/5.0.0/mitrex_refsource_MISC
usn.ubuntu.com/4245-1ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000