CVE-2017-1000433

EUVD-2018-0126
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
Affected Products (NVD)
VendorProductVersion
pysaml2_projectpysaml2
𝑥
≤ 4.4.0
debiandebian_linux
8.0
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-pysaml2
bookworm
7.0.1-2
fixed
bullseye
6.5.1-1
fixed
sid
7.5.0-2
fixed
trixie
7.5.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-pysaml2
artful
Fixed 3.0.0-3ubuntu2.2
released
trusty
dne
xenial
Fixed 3.0.0-3ubuntu1.16.04.3
released
zesty
Fixed 3.0.0-3ubuntu1.17.04.3
released
Common Weakness Enumeration
References
https://github.com/rohe/pysaml2/issues/451
https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
https://security.gentoo.org/glsa/201801-11
https://github.com/rohe/pysaml2/issues/451
https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
https://security.gentoo.org/glsa/201801-11