CVE-2017-11427

Опубликовано: 17 апр. 2019

Источник: nvd

CVSS3: 7.7

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Ссылки

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Exploit
Technical Description
Third Party Advisory
https://www.kb.cert.org/vuls/id/475445
Third Party Advisory
US Government Resource
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Exploit
Technical Description
Third Party Advisory
https://www.kb.cert.org/vuls/id/475445
Third Party Advisory
US Government Resource

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:onelogin:pythonsaml:*:*:*:*:*:*:*:*

Версия до 2.3.0 (включая)

EPSS

Процентиль: 87%

0.03605

Низкий

7.7 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-287

Связанные уязвимости

GHSA-j8j8-348v-wfm3

CVSS3: 7.7

github

больше 6 лет назад

Python-saml allows manipulation of SAML data without invalidation of cryptographic signature

EPSS

Процентиль: 87%

0.03605

Низкий

7.7 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-287