Vulnerability Description
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
CVSS Score
8.1
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pysaml2 Project | Pysaml2 | <= 4.4.0 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://github.com/rohe/pysaml2/issues/451PatchThird Party AdvisoryVDB Entry
- https://lists.debian.org/debian-lts-announce/2018/07/msg00000.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/02/msg00038.htmlMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/201801-11Issue TrackingThird Party Advisory
- https://github.com/rohe/pysaml2/issues/451PatchThird Party AdvisoryVDB Entry
- https://lists.debian.org/debian-lts-announce/2018/07/msg00000.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/02/msg00038.htmlMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/201801-11Issue TrackingThird Party Advisory
FAQ
What is CVE-2017-1000433?
CVE-2017-1000433 is a vulnerability with a CVSS score of 8.1 (HIGH). pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
How severe is CVE-2017-1000433?
CVE-2017-1000433 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-1000433?
Check the references section above for vendor advisories and patch information. Affected products include: Pysaml2 Project Pysaml2, Debian Debian Linux.