CVE-2017-1000433

NameCVE-2017-1000433
Descriptionpysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs886423

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-pysaml2 (PTS)jessie (security), jessie2.0.0-1+deb8u1vulnerable
stretch3.0.0-5vulnerable
buster, sid4.0.2-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-pysaml2source(unstable)(unfixed)medium886423

Notes

https://github.com/rohe/pysaml2/issues/451
Fixed by: https://github.com/rohe/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5

Search for package or bug name: Reporting problems