Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-21238

Опубликовано: 21 янв. 2021
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0.

A verification flaw was found in python-pysaml2, where it did not validate signed SAML documents against an XML schema. Because the flaw allowed invalid XML documents to be processed, a network attacker could exploit this flaw by tricking pysaml2 with a wrapped signature.

Отчет

All versions of Red Hat OpenStack Platform ship but do not use the flawed check-signature functionality of python-pysaml2. The impact for these products is therefore rated as having a security impact of Low and will not be updated at this time.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenStack Platform 10 (Newton)python-pysaml2Out of support scope
Red Hat OpenStack Platform 13 (Queens)python-pysaml2Out of support scope
Red Hat OpenStack Platform 16.1python-pysaml2Will not fix
Red Hat OpenStack Platform 16.2python-pysaml2Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-347
https://bugzilla.redhat.com/show_bug.cgi?id=2007591python-pysaml2: processing of invalid SAML XML documents

EPSS

Процентиль: 35%
0.0014
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-21238

CVSS3: 6.5
ubuntu
больше 4 лет назад

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0.

nvd логотип

CVE-2021-21238

CVSS3: 6.5
nvd
больше 4 лет назад

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0.

debian логотип

CVE-2021-21238

CVSS3: 6.5
debian
больше 4 лет назад

PySAML2 is a pure python implementation of SAML Version 2 Standard. Py ...

redos логотип

ROS-20240410-12

CVSS3: 6.5
redos
около 1 года назад

Уязвимость python3-pysaml2

github логотип

GHSA-f4g9-h89h-jgv9

CVSS3: 6.5
github
больше 4 лет назад

SAML XML Signature wrapping in PySAML2

EPSS

Процентиль: 35%
0.0014
Низкий

6.5 Medium

CVSS3