pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
{ "nvd_published_at": "2018-01-02T23:29:00Z", "cwe_ids": [ "CWE-287" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:27:01Z" }