CVE-2020-5390

Published: Jan 13, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.

Affected (8)

Products: Pysaml2 Project: Pysaml2 · Canonical: Ubuntu Linux · Debian: Debian Linux

Pysaml2 Project

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pysaml2 Project Pysaml2	Before 5.0.0

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 19.04
Canonical Ubuntu Linux	Version 19.10

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (16)

https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219fd6a290a00f2b6e

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/IdentityPython/pysaml2/releases

Source: cve@mitre.org

Release NotesThird Party Advisory

https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0

Source: cve@mitre.org

Release NotesThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/02/msg00025.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://pypi.org/project/pysaml2/5.0.0/

Source: cve@mitre.org

ProductThird Party Advisory

https://usn.ubuntu.com/4245-1/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2020/dsa-4630

Source: cve@mitre.org

Third Party Advisory

https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219fd6a290a00f2b6e

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/IdentityPython/pysaml2/releases

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/02/msg00025.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://pypi.org/project/pysaml2/5.0.0/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://usn.ubuntu.com/4245-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2020/dsa-4630

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.