CVE-2020-5390

Опубликовано: 13 янв. 2020

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.

Ссылки

https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
Patch
Third Party Advisory
https://github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219fd6a290a00f2b6e
Patch
Third Party Advisory
https://github.com/IdentityPython/pysaml2/releases
Release Notes
Third Party Advisory
https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0
Release Notes
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00025.html
Mailing List
Third Party Advisory
https://pypi.org/project/pysaml2/5.0.0/
Product
Third Party Advisory
https://usn.ubuntu.com/4245-1/
Third Party Advisory
https://www.debian.org/security/2020/dsa-4630
Third Party Advisory
https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
Patch
Third Party Advisory
https://github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219fd6a290a00f2b6e
Patch
Third Party Advisory
https://github.com/IdentityPython/pysaml2/releases
Release Notes
Third Party Advisory
https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0
Release Notes
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00025.html
Mailing List
Third Party Advisory
https://pypi.org/project/pysaml2/5.0.0/
Product
Third Party Advisory
https://usn.ubuntu.com/4245-1/
Third Party Advisory
https://www.debian.org/security/2020/dsa-4630
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pysaml2_project:pysaml2:*:*:*:*:*:*:*:*

Версия до 5.0.0 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 73%

0.00763

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-347

Связанные уязвимости

CVE-2020-5390

CVSS3: 7.5

ubuntu

около 6 лет назад

CVE-2020-5390

CVSS3: 7.5

redhat

около 6 лет назад

CVE-2020-5390

CVSS3: 7.5

debian

около 6 лет назад

PySAML2 before 5.0.0 does not check that the signature in a SAML docum ...

GHSA-qf7v-8hj3-4xw7

CVSS3: 7.5

github

почти 6 лет назад

Improper Verification of Cryptographic Signature in PySAML2

BDU:2020-05775

CVSS3: 7.5

fstec

около 6 лет назад

Уязвимость библиотеки для обмена идентификационными данными по стандарту SAML2 PySAML2, связанная с некорректным подтверждением криптографической подписи данных, позволяющая нарушителю обойти проверку подписи и получить доступ к защищаемой информации

EPSS

Процентиль: 73%

0.00763

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-347