CVE-2021-21239 - Improper Verification of Cryptographic Signature

Severity

65%

Complexity

27%

Confidentiality

60%

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.

CVSS 3.1 Base Score 6.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Demo Examples

Improper Verification of Cryptographic Signature

CWE-347

In the following code, a JarFile object is created from a downloaded file.


               
JarFile jf = new JarFile(f);

The JAR file that was potentially downloaded from an untrusted source is created without verifying the signature (if present). An alternate constructor that accepts a boolean verify parameter should be used instead.

Overview

First reported 4 years ago

2021-01-21 15:15:00

Last updated 3 years ago

2021-03-10 21:00:00

Affected Software

PySAML2 Project PySAML2

Debian Linux 9.0

9.0

References

https://github.com/IdentityPython/pysaml2/commit/46578df0695269a16f1c94171f1429873f90ed99

https://github.com/IdentityPython/pysaml2/releases/tag/v6.5.0

https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62

https://pypi.org/project/pysaml2

https://www.aleksey.com/pipermail/xmlsec/2013/009717.html

https://github.com/IdentityPython/pysaml2/commit/46578df0695269a16f1c94171f1429873f90ed99

Patch, Third Party Advisory

https://github.com/IdentityPython/pysaml2/releases/tag/v6.5.0

Third Party Advisory

https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62

Third Party Advisory

https://pypi.org/project/pysaml2

Product, Third Party Advisory

https://www.aleksey.com/pipermail/xmlsec/2013/009717.html

Exploit, Mailing List, Third Party Advisory

[debian-lts-announce] 20210226 [SECURITY] [DLA 2577-1] python-pysaml2 security update

[debian-lts-announce] 20210226 [SECURITY] [DLA 2577-1] python-pysaml2 security update

Mailing List, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.