Vulnerability Details CVE-2020-5390
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.9%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
- https://github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219fd6a290a00f2b6e
- https://github.com/IdentityPython/pysaml2/releases
- https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0
- https://lists.debian.org/debian-lts-announce/2020/02/msg00025.html
- https://pypi.org/project/pysaml2/5.0.0/
- https://usn.ubuntu.com/4245-1/
- https://www.debian.org/security/2020/dsa-4630
- https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
- https://github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219fd6a290a00f2b6e
- https://github.com/IdentityPython/pysaml2/releases
- https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0
- https://lists.debian.org/debian-lts-announce/2020/02/msg00025.html
- https://pypi.org/project/pysaml2/5.0.0/
- https://usn.ubuntu.com/4245-1/
- https://www.debian.org/security/2020/dsa-4630
Products affected by CVE-2020-5390
-
cpe:2.3:a:pysaml2_project:pysaml2:-
-
cpe:2.3:a:pysaml2_project:pysaml2:0.1
-
cpe:2.3:a:pysaml2_project:pysaml2:0.2
-
cpe:2.3:a:pysaml2_project:pysaml2:0.4
-
cpe:2.3:a:pysaml2_project:pysaml2:0.4.1
-
cpe:2.3:a:pysaml2_project:pysaml2:0.4.2
-
cpe:2.3:a:pysaml2_project:pysaml2:0.4.3
-
cpe:2.3:a:pysaml2_project:pysaml2:1.0.0
-
cpe:2.3:a:pysaml2_project:pysaml2:1.0.1
-
cpe:2.3:a:pysaml2_project:pysaml2:1.0.3
-
cpe:2.3:a:pysaml2_project:pysaml2:2.0.0
-
cpe:2.3:a:pysaml2_project:pysaml2:2.1.0
-
cpe:2.3:a:pysaml2_project:pysaml2:2.2.0
-
cpe:2.3:a:pysaml2_project:pysaml2:2.3.0
-
cpe:2.3:a:pysaml2_project:pysaml2:2.4.0
-
cpe:2.3:a:pysaml2_project:pysaml2:3.0.0
-
cpe:2.3:a:pysaml2_project:pysaml2:3.0.2
-
cpe:2.3:a:pysaml2_project:pysaml2:4.0.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.1.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.2.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.3.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.4.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.5.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.6.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.6.1
-
cpe:2.3:a:pysaml2_project:pysaml2:4.6.2
-
cpe:2.3:a:pysaml2_project:pysaml2:4.6.3
-
cpe:2.3:a:pysaml2_project:pysaml2:4.6.4
-
cpe:2.3:a:pysaml2_project:pysaml2:4.6.5
-
cpe:2.3:a:pysaml2_project:pysaml2:4.7.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.8.0
-
cpe:2.3:a:pysaml2_project:pysaml2:4.9.0
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.04
-
cpe:2.3:o:canonical:ubuntu_linux:19.04
-
cpe:2.3:o:canonical:ubuntu_linux:19.10
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0