GHSA-924m-4pmx-c67h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-924m-4pmx-c67h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-924m-4pmx-c67h/GHSA-924m-4pmx-c67h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-924m-4pmx-c67h
- Aliases
- Published
- 2018-07-13T16:01:17Z
- Modified
- 2024-10-21T21:25:30.520963Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- pysaml2 Improper Authentication vulnerability
- Details
-
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
- Database specific
{ "nvd_published_at": "2018-01-02T23:29:00Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-287" ], "github_reviewed_at": "2020-06-16T21:27:01Z", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000433
- https://github.com/rohe/pysaml2/issues/451
- https://github.com/IdentityPython/pysaml2/pull/454
- https://github.com/IdentityPython/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5
- https://github.com/advisories/GHSA-924m-4pmx-c67h
- https://github.com/pypa/advisory-database/tree/main/vulns/pysaml2/PYSEC-2018-48.yaml
- https://github.com/rohe/pysaml2
- https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
- https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
- https://security.gentoo.org/glsa/201801-11
Affected packages
PyPI / pysaml2
Package
- Name
- pysaml2
- View open source insights on deps.dev
- Purl
- pkg:pypi/pysaml2