#VU50366 Improper Verification of Cryptographic Signature in Python implementation of SAML2 - CVE-2021-21238
Published: January 21, 2021 / Updated: February 4, 2021
Vulnerability identifier: #VU50366
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-21238
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Python implementation of SAML2
Python implementation of SAML2
Software vendor:
IdentityPython
IdentityPython
Description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0.
Remediation
Install update from vendor's website.