PyPI package
pysaml2
pkg:pypi/pysaml2
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21239 | Med | 6.5 | < 6.5.0 | 6.5.0 | Jan 21, 2021 | PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted | |
| CVE-2021-21238 | Med | 6.5 | < 6.5.0 | 6.5.0 | Jan 21, 2021 | PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig | |
| CVE-2020-5390 | Hig | 7.5 | < 5.0.0 | 5.0.0 | Jan 13, 2020 | PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus | |
| CVE-2017-1000433 | Hig | 8.1 | < 4.5.0 | 4.5.0 | Jan 2, 2018 | pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password. | |
| CVE-2017-1000246 | Med | 5.3 | < 4.6.0 | 4.6.0 | Nov 17, 2017 | Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data. | |
| CVE-2016-10149 | Hig | 7.5 | < 4.5.0 | 4.5.0 | Mar 24, 2017 | XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response. | |
| CVE-2016-10127 | Cri | 9.0 | < 4.5.0 | 4.5.0 | Mar 3, 2017 | PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response. |
- affected < 6.5.0fixed 6.5.0
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted
- affected < 6.5.0fixed 6.5.0
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig
- affected < 5.0.0fixed 5.0.0
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
- affected < 4.5.0fixed 4.5.0
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
- affected < 4.6.0fixed 4.6.0
Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.
- affected < 4.5.0fixed 4.5.0
XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.
- affected < 4.5.0fixed 4.5.0
PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.