CVE-2016-10149

Advisory

XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.


MLIST:[oss-security] 20170119 Re: CVE request: python-pysaml2 XML external entity attack: http://www.openwall.com/lists/oss-security/2017/01/19/5
MISC:https://github.com/rohe/pysaml2/issues/366: https://github.com/rohe/pysaml2/issues/366
CONFIRM:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850716
CONFIRM:https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b: https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
CONFIRM:https://github.com/rohe/pysaml2/pull/379: https://github.com/rohe/pysaml2/pull/379
DEBIAN:DSA-3759: http://www.debian.org/security/2017/dsa-3759
REDHAT:RHSA-2017:0936: https://access.redhat.com/errata/RHSA-2017:0936
REDHAT:RHSA-2017:0937: https://access.redhat.com/errata/RHSA-2017:0937
REDHAT:RHSA-2017:0938: https://access.redhat.com/errata/RHSA-2017:0938
BID:97692: http://www.securityfocus.com/bid/97692

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10149
• https://github.com/rohe/pysaml2/pull/379
• https://github.com/rohe/pysaml2/issues/366
• https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850716
• http://www.openwall.com/lists/oss-security/2017/01/19/5
• http://www.debian.org/security/2017/dsa-3759
• http://www.securityfocus.com/bid/97692
• https://access.redhat.com/errata/RHSA-2017:0938
• https://access.redhat.com/errata/RHSA-2017:0937
• https://access.redhat.com/errata/RHSA-2017:0936