pysaml2 2.2.0 vulnerabilities

Known vulnerabilities in the pysaml2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H XML External Entity (XXE) Injection pysaml2 is a Python implementation of SAML Version 2 Standard. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection allowing remote attackers to read arbitrary files via a crafted SAML XML request or response. NOTE: This vulnerability has also been identified as: CVE-2016-10127 How to fix XML External Entity (XXE) Injection? Upgrade `pysaml2` to version 4.5.0 or higher.	[,4.5.0)
M Insecure Defaults pysaml2 is a Python implementation of SAML Version 2 Standard. Affected versions of this package are vulnerable to Insecure Defaults. It does not ensure that a signed SAML document is correctly signed. The default `CryptoBackendXmlSec1` backend is using the `xmlsec1` binary to verify the signature of signed SAML documents, but by default, `xmlsec1` accepts any type of key found within the given document. How to fix Insecure Defaults? Upgrade `pysaml2` to version 6.5.0 or higher.	[,6.5.0)
M Improper Validation pysaml2 is a Python implementation of SAML Version 2 Standard. Affected versions of this package are vulnerable to Improper Validation. By default, the SAML document is not validated against an XML schema. This allows invalid XML documents to trick the verification process, by presenting elements with a valid signature inside elements whose content has been malformed. The verification is offloaded to `xmlsec1` and `xmlsec1` will not validate every signature in the given document, but only the first it finds in the given scope. How to fix Improper Validation? Upgrade `pysaml2` to version 6.5.0 or higher.	[,6.5.0)
M XML Signature Wrapping pysaml2 is a Python implementation of SAML Version 2 Standard. Affected versions of this package are vulnerable to XML Signature Wrapping. It does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective. The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed. How to fix XML Signature Wrapping? Upgrade `pysaml2` to version 5.0.0 or higher.	[,5.0.0)
M Weak Encryption `pysaml2` is a Python implementation of SAML Version 2 Affected versions of this package are vulnerable to weak encryption due to reusage of the initialization vector across encryptions in the IDP server. How to fix Weak Encryption? Upgrade `pysaml2` to version 4.6.0 or higher.	[,4.6.0)
H Access Restriction Bypass `pysaml2` is a python implementation of SAML Version 2. Affected versions of the package are vulnerable to Access Restriction Bypass. How to fix Access Restriction Bypass? Upgrade `pysaml2` to version 4.5.0 or higher.	[,4.5.0)
C XML External Entity (XXE) Injection via a crafted SAML XML request or response.	[,4.5.0)
M Access Restriction Bypass `pysaml2` is a Python implementation of SAML Version 2. Affected versions of this package are vulnerable to Access Restriction Bypass	[,2.3.0)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

pysaml2 is a Python implementation of SAML Version 2 Standard.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection allowing remote attackers to read arbitrary files via a crafted SAML XML request or response.

NOTE: This vulnerability has also been identified as: CVE-2016-10127

How to fix XML External Entity (XXE) Injection?

Upgrade pysaml2 to version 4.5.0 or higher.

[,4.5.0)

Insecure Defaults

pysaml2 is a Python implementation of SAML Version 2 Standard.

Affected versions of this package are vulnerable to Insecure Defaults. It does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default, xmlsec1 accepts any type of key found within the given document.

How to fix Insecure Defaults?

Upgrade pysaml2 to version 6.5.0 or higher.

[,6.5.0)

Improper Validation

pysaml2 is a Python implementation of SAML Version 2 Standard.

Affected versions of this package are vulnerable to Improper Validation. By default, the SAML document is not validated against an XML schema. This allows invalid XML documents to trick the verification process, by presenting elements with a valid signature inside elements whose content has been malformed. The verification is offloaded to xmlsec1 and xmlsec1 will not validate every signature in the given document, but only the first it finds in the given scope.

How to fix Improper Validation?

Upgrade pysaml2 to version 6.5.0 or higher.

[,6.5.0)

XML Signature Wrapping

pysaml2 is a Python implementation of SAML Version 2 Standard.

Affected versions of this package are vulnerable to XML Signature Wrapping. It does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective. The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.

How to fix XML Signature Wrapping?

Upgrade pysaml2 to version 5.0.0 or higher.

[,5.0.0)

Weak Encryption

pysaml2 is a Python implementation of SAML Version 2

Affected versions of this package are vulnerable to weak encryption due to reusage of the initialization vector across encryptions in the IDP server.

How to fix Weak Encryption?

Upgrade pysaml2 to version 4.6.0 or higher.

[,4.6.0)

Access Restriction Bypass

pysaml2 is a python implementation of SAML Version 2.

Affected versions of the package are vulnerable to Access Restriction Bypass.

How to fix Access Restriction Bypass?

Upgrade pysaml2 to version 4.5.0 or higher.

[,4.5.0)

XML External Entity (XXE) Injection

via a crafted SAML XML request or response.

[,4.5.0)

Access Restriction Bypass

pysaml2 is a Python implementation of SAML Version 2.

Affected versions of this package are vulnerable to Access Restriction Bypass

[,2.3.0)

pysaml2@2.2.0 vulnerabilities

Python implementation of SAML Version 2 Standard

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?