PyPi: Pysaml2

CVE-2016-10127

Safety vulnerability ID: 35659

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 03, 2017 Updated at Mar 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.

Affected package

pysaml2

Latest version: 7.5.0

Python implementation of SAML Version 2 Standard

Affected versions

Fixed versions

Vulnerability changelog

PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.

MLIST:[oss-security] 20170119 Re: CVE request: python-pysaml2 XML external entity attack: http://www.openwall.com/lists/oss-security/2017/01/19/5
MISC:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850716
MISC:https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b: https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
MISC:https://github.com/rohe/pysaml2/issues/366: https://github.com/rohe/pysaml2/issues/366
MISC:https://github.com/rohe/pysaml2/pull/379: https://github.com/rohe/pysaml2/pull/379
BID:95376: http://www.securityfocus.com/bid/95376

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.0

CVSS v3 Details

CRITICAL 9.0

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 6.8

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL