CVE-2017-1000433

NameCVE-2017-1000433
Descriptionpysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1410-1, DLA-2577-1
Debian Bugs886423

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-pysaml2 (PTS)jessie, jessie (lts)2.0.0-1+deb8u4fixed
stretch (security), stretch (lts), stretch3.0.0-5+deb9u2fixed
buster (security), buster, buster (lts)4.5.0-4+deb10u1fixed
bullseye6.5.1-1fixed
bookworm7.0.1-2fixed
trixie7.5.0-2fixed
sid7.5.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-pysaml2sourcejessie2.0.0-1+deb8u2DLA-1410-1
python-pysaml2sourcestretch3.0.0-5+deb9u2DLA-2577-1
python-pysaml2source(unstable)4.5.0-2886423

Notes

https://github.com/rohe/pysaml2/issues/451
Fixed by: https://github.com/rohe/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5

Search for package or bug name: Reporting problems