CVE-2021-21238: SAML XML Signature wrapping in PySAML2
(updated )
All users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. pysaml2 <= 6.4.1 does not validate the SAML document against an XML schema. This allows invalid XML documents to trick the verification process, by presenting elements with a valid signature inside elements whose content has been malformed. The verification is offloaded to xmlsec1 and xmlsec1 will not validate every signature in the given document, but only the first it finds in the given scope.
References
- github.com/IdentityPython/pysaml2
- github.com/IdentityPython/pysaml2/commit/1d8fd268f5bf887480a403a7a5ef8f048157cc14
- github.com/IdentityPython/pysaml2/releases/tag/v6.5.0
- github.com/IdentityPython/pysaml2/security/advisories/GHSA-f4g9-h89h-jgv9
- github.com/advisories/GHSA-f4g9-h89h-jgv9
- github.com/pypa/advisory-database/tree/main/vulns/pysaml2/PYSEC-2021-48.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-21238
- pypi.org/project/pysaml2
Detect and mitigate CVE-2021-21238 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →