Vulnerability Details CVE-2017-1000433
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.021
EPSS Ranking 83.2%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
References
- https://github.com/rohe/pysaml2/issues/451
- https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
- https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
- https://security.gentoo.org/glsa/201801-11
- https://github.com/rohe/pysaml2/issues/451
- https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
- https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
- https://security.gentoo.org/glsa/201801-11
Products affected by CVE-2017-1000433
-
cpe:2.3:a:pysaml2_project:pysaml2:-
-
cpe:2.3:a:pysaml2_project:pysaml2:0.1
-
cpe:2.3:a:pysaml2_project:pysaml2:0.2
-
cpe:2.3:a:pysaml2_project:pysaml2:0.4
-
cpe:2.3:a:pysaml2_project:pysaml2:0.4.1
-
cpe:2.3:a:pysaml2_project:pysaml2:0.4.2
-
cpe:2.3:a:pysaml2_project:pysaml2:0.4.3
-
cpe:2.3:a:pysaml2_project:pysaml2:1.0.0
-
cpe:2.3:a:pysaml2_project:pysaml2:1.0.1
-
cpe:2.3:a:pysaml2_project:pysaml2:1.0.3
-
cpe:2.3:a:pysaml2_project:pysaml2:2.0.0
-
cpe:2.3:a:pysaml2_project:pysaml2:2.1.0
-
cpe:2.3:a:pysaml2_project:pysaml2:2.2.0
-
cpe:2.3:a:pysaml2_project:pysaml2:2.3.0
-
cpe:2.3:a:pysaml2_project:pysaml2:2.4.0
-
cpe:2.3:a:pysaml2_project:pysaml2:3.0.0
-
cpe:2.3:a:pysaml2_project:pysaml2:3.0.2
-
cpe:2.3:a:pysaml2_project:pysaml2:4.0.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.1.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.2.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.3.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.4.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0