CVE-2017-1000433
HIGH8.1EPSS 2.1%python-pysaml2 - security update
Published: 7/13/2018Modified: 4/28/2026
Description
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
Affected packages (5)
- Debian/python-pysaml2from 0, < 4.5.0-2
- Debian/python-pysaml2from 0, < 2.0.0-1+deb8u2
- Debian/python-pysaml2from 0, < 3.0.0-5+deb9u2
- PyPI/pysaml2from 0, < 4.5.0
- PyPI/pysaml2from 0, < 4.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (11)
- ADVISORYhttps://github.com/advisories/GHSA-924m-4pmx-c67h
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000433
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-1000433
- PATCHhttps://github.com/rohe/pysaml2
- WEBhttps://github.com/IdentityPython/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5
- WEBhttps://github.com/IdentityPython/pysaml2/pull/454
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pysaml2/PYSEC-2018-48.yaml
- WEBhttps://github.com/rohe/pysaml2/issues/451
- WEBhttps://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
- WEBhttps://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
- WEBhttps://security.gentoo.org/glsa/201801-11