PYSEC-2018-48

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2018-48.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2018-48

Aliases

CVE-2017-1000433
GHSA-924m-4pmx-c67h

Published

2018-01-02T23:29:00Z

Modified

2023-11-01T05:29:14.647671Z

Summary

[none]

Details

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

References

https://github.com/rohe/pysaml2/issues/451
https://security.gentoo.org/glsa/201801-11
https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
https://github.com/advisories/GHSA-924m-4pmx-c67h

Affected packages

PyPI / pysaml2

Package

Name: pysaml2; View open source insights on deps.dev
Purl: pkg:pypi/pysaml2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.0

Affected versions

0.*

0.4.3

1.*

1.0.1

1.0.2

1.0.3

1.1.0

2.*

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

3.*

3.0.0

3.0.2

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5rc1

4.0.5

4.1.0

4.2.0

4.3.0

4.4.0

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2018-48.yaml"