PYSEC-2021-48

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2021-48.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2021-48
Aliases
Published
2021-01-21T15:15:00Z
Modified
2023-11-01T04:54:09.497040Z
Summary
[none]
Details

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0.

References

Affected packages

PyPI / pysaml2

Package

Affected ranges

Type
GIT
Repo
https://github.com/IdentityPython/pysaml2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.0

Affected versions

0.*

0.4.3

1.*

1.0.1
1.0.2
1.0.3
1.1.0

2.*

2.0.0
2.1.0
2.2.0
2.3.0
2.4.0

3.*

3.0.0
3.0.2

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5rc1
4.0.5
4.1.0
4.2.0
4.3.0
4.4.0
4.5.0
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.7.0
4.8.0
4.9.0

5.*

5.0.0
5.1.0
5.2.0
5.3.0
5.4.0

6.*

6.0.0
6.1.0
6.2.0
6.3.0
6.3.1
6.4.0
6.4.1