CVE-2021-21239

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
GitHub_MCNA
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
pysaml2_projectpysaml2
𝑥
< 6.5.0
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-pysaml2
bullseye
6.5.1-1
fixed
buster
no-dsa
bookworm
7.0.1-2
fixed
sid
7.5.0-2
fixed
trixie
7.5.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-pysaml2
jammy
Fixed 6.1.0-0ubuntu2
released
impish
Fixed 6.1.0-0ubuntu2
released
hirsute
Fixed 6.1.0-0ubuntu1.21.04.1
released
groovy
ignored
focal
Fixed 4.9.0-0ubuntu3.1
released
bionic
Fixed 4.0.2-0ubuntu3.2
released
xenial
Fixed 3.0.0-3ubuntu1.16.04.4+esm1
released
trusty
dne
Common Weakness Enumeration
References
https://github.com/IdentityPython/pysaml2/commit/46578df0695269a16f1c94171f1429873f90ed99
https://github.com/IdentityPython/pysaml2/releases/tag/v6.5.0
https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
https://pypi.org/project/pysaml2
https://www.aleksey.com/pipermail/xmlsec/2013/009717.html
https://github.com/IdentityPython/pysaml2/commit/46578df0695269a16f1c94171f1429873f90ed99
https://github.com/IdentityPython/pysaml2/releases/tag/v6.5.0
https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
https://pypi.org/project/pysaml2
https://www.aleksey.com/pipermail/xmlsec/2013/009717.html