CVE-2017-1000433: pysaml2 Improper Authentication vulnerability
(updated )
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
References
- github.com/IdentityPython/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5
- github.com/IdentityPython/pysaml2/pull/454
- github.com/advisories/GHSA-924m-4pmx-c67h
- github.com/pypa/advisory-database/tree/main/vulns/pysaml2/PYSEC-2018-48.yaml
- github.com/rohe/pysaml2
- github.com/rohe/pysaml2/issues/451
- lists.debian.org/debian-lts-announce/2018/07/msg00000.html
- lists.debian.org/debian-lts-announce/2021/02/msg00038.html
- nvd.nist.gov/vuln/detail/CVE-2017-1000433
- security.gentoo.org/glsa/201801-11
Detect and mitigate CVE-2017-1000433 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →