CVE-2020-5390 – pysaml2

Package

Manager: pip
Name: pysaml2
Vulnerable Version: >=0 <5.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00665 pctl0.70331

Details

Improper Verification of Cryptographic Signature in PySAML2 PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertions that have been signed.

Metadata

Created: 2020-05-06T19:41:29Z
Modified: 2024-10-23T15:55:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-qf7v-8hj3-4xw7/GHSA-qf7v-8hj3-4xw7.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-qf7v-8hj3-4xw7
Finding: F163
Auto approve: 1