CVE-2021-21239

Name of the Vulnerable Software and Affected Versions: PySAML2 versions prior to 6.5.0

Description: The issue is related to an improper verification of cryptographic signatures in PySAML2, a pure python implementation of SAML Version 2 Standard. Users of PySAML2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. The default CryptoBackendXmlSec1 backend uses the xmlsec1 binary to verify the signature of signed SAML documents, but by default, xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use x509 certificates for the verification process of the SAML document signature.

Recommendations: For PySAML2 versions prior to 6.5.0, upgrade to PySAML2 version 6.5.0 to resolve the issue. As a temporary workaround, consider configuring xmlsec1 to only use x509 certificates for the verification process of the SAML document signature. Restrict access to the default CryptoBackendXmlSec1 backend to minimize the risk of exploitation. Avoid using the default CryptoBackendXmlSec1 backend until the issue is resolved.