CVE-2017-1000246 — Use of Insufficiently Random Values in Project Pysaml2

CWE-330 — Use of Insufficiently Random Values CWE-323 — Reusing a Nonce, Key Pair in Encryption8 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 68.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pysaml2 Project Pysaml2 Debian Python-pysaml2

Timeline

PublishedNov 17

Latest updateJul 16

Description

Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/python-pysaml2< python-pysaml2 4.5.0-4 (bookworm)

▶NVDpysaml2_project/pysaml2< 4.6.0

▶PyPIpysaml2_project/pysaml2< 4.6.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Pysaml2 improperly initializes encryption vector↗2018-07-16

▶

OSV

Pysaml2 improperly initializes encryption vector↗2018-07-16

▶

OSV

CVE-2017-1000246: Python package pysaml2 version 4↗2017-11-17

▶

📋Vendor Advisories

Red Hat

python-pysaml2: Reuse of AES initialization vector in AESCipher↗2017-05-24

▶

Debian

CVE-2017-1000246: python-pysaml2 - Python package pysaml2 version 4.4.0 and earlier reuses the initialization vecto...↗2017

▶

💬Community

Bugzilla

CVE-2017-1000246 python-pysaml2: Reuse of AES initialization vector in AESCipher↗2017-12-11

▶

Bugzilla

CVE-2017-1000246 python-pysaml2: various flaws [fedora-all]↗2017-11-22

▶