Fluid Attacks Database

Description

pysaml2 Improper Authentication vulnerability pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pysaml2	>=0 <4.5.0	4.5.0
debian 11	python-pysaml2	>=0 <4.5.0-2	4.5.0-2
debian 14	python-pysaml2	>=0 <4.5.0-2	4.5.0-2
debian 12	python-pysaml2	>=0 <4.5.0-2	4.5.0-2
debian 13	python-pysaml2	>=0 <4.5.0-2	4.5.0-2

Aliases

1. CVE-2017-10004332. NVD-2017-10004333. OSV-2017-10004334. OSV-DEBIAN-2017-10004335. GHSA-924m-4pmx-c67h6. GCVE-2017-10004337. lists.debian.org8. lists.debian.org9. security.gentoo.org10. SECURITY-TRACKER-CVE-2017-1000433

References

1. https://github.com/rohe/pysaml2/issues/4512. https://github.com/IdentityPython/pysaml2/pull/4543. https://github.com/IdentityPython/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a54. https://github.com/pypa/advisory-database/tree/main/vulns/pysaml2/PYSEC-2018-48.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.