PT-2020-5164 · Pysaml2+2 · Pysaml2+2

Alexey Sintsov

+1

·

Published

2020-01-09

·

Updated

2024-07-12

·

CVE-2020-5390

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions PySAML2 versions prior to 5.0.0
Description The issue is related to incorrect verification of cryptographic signatures in SAML2 documents, allowing a remote attacker to bypass signature checks and access protected information. This is due to the library being affected by XML Signature Wrapping (XSW), where the signature information and the node/object that is signed can be in different places, causing the signature verification to succeed but using the wrong data. This specifically affects the verification of assertions that have been signed.
Recommendations For PySAML2 versions prior to 5.0.0, update to version 5.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of SAML2 assertions until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

ALT-PU-2023-1286
ALT-PU-2023-1534
BDU:2020-05775
CVE-2020-5390
DLA-2119-1
DSA-4630-1
GHSA-QF7V-8HJ3-4XW7
OPENSUSE-SU-2024:11258-1
OPENSUSE-SU-2024:14156-1
PYSEC-2020-94
SUSE-RU-2020:2072-1
SUSE-SU-2020:1901-1
SUSE-SU-2020:3897-1
USN-4245-1

Affected Products

Alt Linux
Pysaml2
Ubuntu