CVE-2017-1000433

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
VendorProductVersion
pysaml2_projectpysaml2
𝑥
≤ 4.4.0
debiandebian_linux
8.0
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-pysaml2
bullseye
6.5.1-1
fixed
bookworm
7.0.1-2
fixed
sid
7.5.0-2
fixed
trixie
7.5.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-pysaml2
artful
Fixed 3.0.0-3ubuntu2.2
released
zesty
Fixed 3.0.0-3ubuntu1.17.04.3
released
xenial
Fixed 3.0.0-3ubuntu1.16.04.3
released
trusty
dne
Common Weakness Enumeration
References
https://github.com/rohe/pysaml2/issues/451
https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
https://security.gentoo.org/glsa/201801-11
https://github.com/rohe/pysaml2/issues/451
https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
https://security.gentoo.org/glsa/201801-11