CVE-2017-1000433
python-pysaml2 - security update
8.1
HIGH
CVSS 3.1
EPSS 2.1%
Description
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
How to fix CVE-2017-1000433
To remediate CVE-2017-1000433, upgrade the affected package to a fixed version below.
- Debian/python-pysaml2—upgrade to 4.5.0-2 or later
- —upgrade to 2.0.0-1+deb8u2 or later
- —upgrade to 3.0.0-5+deb9u2 or later
- —upgrade to 4.5.0 or later
- —upgrade to 4.5.0 or later
Is CVE-2017-1000433 being exploited?
Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 4.5.0-2
- from 0, < 2.0.0-1+deb8u2
- from 0, < 3.0.0-5+deb9u2
- from 0, < 4.5.0
- from 0, < 4.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |