CVE-2021-21239

MEDIUM LAB

PySAML2 <6.5.0 - Improper Signature Verification

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2021-21239. PoCs published by Crims-on, illera88, GrantBirki.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2021-21239, an XML signature validation bypass vulnerability in xmlsec. The script manipulates XML input to exploit the flaw and signs it using a provided RSA key.

Description

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.

Exploits (4)

nomisec WORKING POC

by Crims-on · poc

https://github.com/Crims-on/CVE-2021-21239

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2021-21239, an XML signature validation bypass vulnerability in xmlsec. The script manipulates XML input to exploit the flaw and signs it using a provided RSA key.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: xmlsec 1.2.25

No auth needed

Prerequisites: xmlsec installed · RSA private key

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by illera88 · poc

https://github.com/illera88/CVE-2021-21239

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2021-21239, a SAML signature validation bypass in Redash <=10.1.0. The exploit forges a SAML response with an embedded public key to impersonate users and escalate privileges via JIT provisioning.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Redash <=10.1.0 (using pysaml2 <6.5.0)

No auth needed

Prerequisites: Access to Redash SAML callback endpoint · RSA key pair generation · Valid SAML template

MITRE ATT&CK

T1550.002 - Pass the Hash

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by GrantBirki · poc

https://github.com/GrantBirki/redash-vulnerable

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-21239, an authentication bypass vulnerability in Redash due to improper SAML signature validation in pysaml2. The PoC includes a Dockerized vulnerable Redash instance and a Python script to forge SAML responses with embedded RSA keys.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Redash (using pysaml2 <= 6.4.1)

No auth needed

Prerequisites: Docker environment · Python 3.x · cryptography library · lxml library

MITRE ATT&CK

T1550.003 - Pass the Ticket

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by RyanBoomer30 · poc

https://github.com/RyanBoomer30/CVE-2021-21239-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-21239, which manipulates SAML assertions by replacing attribute values and signature blocks to bypass authentication. The script automates the process of generating a malicious SAML response file.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: VMware vRealize Operations Manager (vROps) 8.x

No auth needed

Prerequisites: Intercepted SAML XML file · OpenSSL and xmlsec1 installed

MITRE ATT&CK