Ivan Kanakarakis

2 exploits Active since Jan 2020
CVE-2020-5390 WRITEUP HIGH WRITEUP
Pysaml2 < 5.0.0 - Signature Verification Bypass
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.
CVSS 7.5
CVE-2021-21238 WRITEUP MEDIUM WRITEUP
PySAML2 <6.5.0 - Info Disclosure
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0.
CVSS 6.5