Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-21239

Опубликовано: 21 янв. 2021
Источник: nvd
CVSS3: 6.5
CVSS2: 4.3
EPSS Низкий

Описание

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only x509 certificates for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:pysaml2_project:pysaml2:*:*:*:*:*:*:*:*
Версия до 6.5.0 (исключая)
Конфигурация 2
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

EPSS

Процентиль: 86%
0.0286
Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-347

Связанные уязвимости

ubuntu логотип

CVE-2021-21239

CVSS3: 6.5
ubuntu
около 5 лет назад

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.

redhat логотип

CVE-2021-21239

CVSS3: 6.5
redhat
около 5 лет назад

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.

debian логотип

CVE-2021-21239

CVSS3: 6.5
debian
около 5 лет назад

PySAML2 is a pure python implementation of SAML Version 2 Standard. Py ...

github логотип

GHSA-5p3x-r448-pc62

CVSS3: 6.5
github
около 5 лет назад

Improper Verification of Cryptographic Signature in PySAML2

EPSS

Процентиль: 86%
0.0286
Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-347