CVE-2020-5390
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.
PySAML2 versiones anteriores a la versión 5.0.0 no comprueba que la firma en un documento SAML esté envuelta y, por lo tanto, el empaquetado de la firma es efectivo, es decir, está afectado por XML Signature Wrapping (XSW). La información de la firma y el nodo u objeto que está firmado puede estar en diferentes lugares y, por lo tanto, la comprobación de la firma tendrá éxito, pero serán usados los datos incorrectos. Esto afecta específicamente la comprobación de las afirmaciones que se han firmado.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-03 CVE Reserved
- 2020-01-13 CVE Published
- 2024-05-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-347: Improper Verification of Cryptographic Signature
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://github.com/IdentityPython/pysaml2/releases | Release Notes | |
| https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0 | Release Notes | |
| https://lists.debian.org/debian-lts-announce/2020/02/msg00025.html | Mailing List |
|
| https://pypi.org/project/pysaml2/5.0.0 | Product |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://usn.ubuntu.com/4245-1 | 2023-02-01 | |
| https://www.debian.org/security/2020/dsa-4630 | 2023-02-01 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Pysaml2 Project Search vendor "Pysaml2 Project" | Pysaml2 Search vendor "Pysaml2 Project" for product "Pysaml2" | < 5.0.0 Search vendor "Pysaml2 Project" for product "Pysaml2" and version " < 5.0.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | esm |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 19.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||