7.5

CVE-2020-5390

PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pysaml2 ProjectPysaml2 Version < 5.0.0
CanonicalUbuntu Linux Version16.04 SwEditionesm
CanonicalUbuntu Linux Version18.04 SwEditionlts
CanonicalUbuntu Linux Version19.04
CanonicalUbuntu Linux Version19.10
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.21% 0.644
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
Patch
Third Party Advisory
https://github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219fd6a290a00f2b6e
Patch
Third Party Advisory
https://github.com/IdentityPython/pysaml2/releases
Third Party Advisory
Release Notes
https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0
Third Party Advisory
Release Notes
https://lists.debian.org/debian-lts-announce/2020/02/msg00025.html
Third Party Advisory
Mailing List
https://pypi.org/project/pysaml2/5.0.0/
Third Party Advisory
Product
https://usn.ubuntu.com/4245-1/
Third Party Advisory
https://www.debian.org/security/2020/dsa-4630
Third Party Advisory