CVE-2017-1000433 — Improper Authentication in Project Pysaml2

CWE-287 — Improper Authentication8 documents7 sources

Severity

8.1HIGHNVD

EPSS

2.1%

top 15.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pysaml2 Project Pysaml2 Debian Python-pysaml2 Debian Linux

Timeline

PublishedJan 2

Latest updateJul 13

Description

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/python-pysaml2< python-pysaml2 4.5.0-2 (bookworm)

▶PyPIpysaml2_project/pysaml2< 4.5.0

▶NVDpysaml2_project/pysaml24.4.0

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

pysaml2 Improper Authentication vulnerability↗2018-07-13

▶

GHSA

pysaml2 Improper Authentication vulnerability↗2018-07-13

▶

OSV

CVE-2017-1000433: pysaml2 version 4↗2018-01-02

▶

📋Vendor Advisories

Ubuntu

PySAML2 vulnerability↗2018-01-08

▶

Red Hat

python-pysaml2: Access restriction bypass↗2017-09-10

▶

Debian

CVE-2017-1000433: python-pysaml2 - pysaml2 version 4.4.0 and older accept any password when run with python optimiz...↗2017

▶

💬Community

Bugzilla

CVE-2017-1000433 python-pysaml2: Access restriction bypass↗2017-11-22

▶