CVE-2017-1000433

Published: 02 January 2018

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
python-pysaml2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.0.2-0ubuntu3)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.0.0-3ubuntu1.16.04.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/rohe/pysaml2/commit/efe27e2f40bf1c35d847f935ba74b4b86aa90fb5