CVE-2017-1000433
HIGHpysaml2 < 4.4.0 - Improper Authentication via Python Optimization Mode
Title source: llmDescription
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
References (4)
Core 4
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html
Patch, Third Party Advisory, VDB Entry x_refsource_confirm
https://github.com/rohe/pysaml2/issues/451
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201801-11
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
Scores
CVSS v3
8.1
EPSS
0.0252
EPSS Percentile
82.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (4)
debian/debian_linux
8.0
debian/debian_linux
9.0
pypi/pysaml2
0 - 4.5.0PyPI
pysaml2_project/pysaml2
< 4.4.0
Published
Jan 02, 2018
Tracked Since
Feb 18, 2026