Homepage
About Snyk

pysaml2@2.1.0 vulnerabilities

Python implementation of SAML Version 2 Standard

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the pysaml2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
XML External Entity (XXE) Injection

pysaml2 is a Python implementation of SAML Version 2 Standard.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection allowing remote attackers to read arbitrary files via a crafted SAML XML request or response.

NOTE: This vulnerability has also been identified as: CVE-2016-10127

How to fix XML External Entity (XXE) Injection?

Upgrade pysaml2 to version 4.5.0 or higher.

[,4.5.0)
  • M
Insecure Defaults

pysaml2 is a Python implementation of SAML Version 2 Standard.

Affected versions of this package are vulnerable to Insecure Defaults. It does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default, xmlsec1 accepts any type of key found within the given document.

How to fix Insecure Defaults?

Upgrade pysaml2 to version 6.5.0 or higher.

[,6.5.0)
  • M
Improper Validation

pysaml2 is a Python implementation of SAML Version 2 Standard.

Affected versions of this package are vulnerable to Improper Validation. By default, the SAML document is not validated against an XML schema. This allows invalid XML documents to trick the verification process, by presenting elements with a valid signature inside elements whose content has been malformed. The verification is offloaded to xmlsec1 and xmlsec1 will not validate every signature in the given document, but only the first it finds in the given scope.

How to fix Improper Validation?

Upgrade pysaml2 to version 6.5.0 or higher.

[,6.5.0)
  • M
XML Signature Wrapping

pysaml2 is a Python implementation of SAML Version 2 Standard.

Affected versions of this package are vulnerable to XML Signature Wrapping. It does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective. The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.

How to fix XML Signature Wrapping?

Upgrade pysaml2 to version 5.0.0 or higher.

[,5.0.0)
  • M
Weak Encryption

pysaml2 is a Python implementation of SAML Version 2

Affected versions of this package are vulnerable to weak encryption due to reusage of the initialization vector across encryptions in the IDP server.

How to fix Weak Encryption?

Upgrade pysaml2 to version 4.6.0 or higher.

[,4.6.0)
  • H
Access Restriction Bypass

pysaml2 is a python implementation of SAML Version 2.

Affected versions of the package are vulnerable to Access Restriction Bypass.

How to fix Access Restriction Bypass?

Upgrade pysaml2 to version 4.5.0 or higher.

[,4.5.0)
  • C
XML External Entity (XXE) Injection

via a crafted SAML XML request or response.

[,4.5.0)
  • M
Access Restriction Bypass

pysaml2 is a Python implementation of SAML Version 2.

Affected versions of this package are vulnerable to Access Restriction Bypass

[,2.3.0)
Go back to all versions of this package