CVE-2017-1000433 – pysaml2

Package

Manager: pip
Name: pysaml2
Vulnerable Version: >=0 <4.5.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02083 pctl0.8333

Details

pysaml2 Improper Authentication vulnerability pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

Metadata

Created: 2018-07-13T16:01:17Z
Modified: 2024-10-21T21:09:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-924m-4pmx-c67h/GHSA-924m-4pmx-c67h.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-924m-4pmx-c67h
Finding: F006
Auto approve: 1