CVE-2017-1000433

NameCVE-2017-1000433
Descriptionpysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1410-1
NVD severitymedium
Debian Bugs886423

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-pysaml2 (PTS)stretch (security), stretch3.0.0-5+deb9u1vulnerable
buster, buster (security)4.5.0-4+deb10u1fixed
bullseye, sid6.1.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-pysaml2sourcejessie2.0.0-1+deb8u2DLA-1410-1
python-pysaml2source(unstable)4.5.0-2886423

Notes

[stretch] - python-pysaml2 <no-dsa> (Minor issue)
https://github.com/rohe/pysaml2/issues/451
Fixed by: https://github.com/rohe/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5

Search for package or bug name: Reporting problems