CVE-2021-21238 - log back

CVE-2021-21238 edited at 23 Jan 2021 04:04:01
References
https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-f4g9-h89h-jgv9
https://github.com/IdentityPython/pysaml2/commit/3b707723dcf1bf60677b424aac398c0c3557641d
+ https://github.com/advisories/GHSA-f4g9-h89h-jgv9
+ https://github.com/IdentityPython/pysaml2/commit/1d8fd268f5bf887480a403a7a5ef8f048157cc14
+ https://github.com/IdentityPython/pysaml2/releases/tag/v6.5.0
+ https://pypi.org/project/pysaml2
+ https://nvd.nist.gov/vuln/detail/CVE-2021-21238
CVE-2021-21238 edited at 21 Jan 2021 18:14:26
Severity
- Medium
+ High
CVE-2021-21238 edited at 21 Jan 2021 18:09:56
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Signature forgery
Description
+ PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0.
References
+ https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-f4g9-h89h-jgv9
+ https://github.com/IdentityPython/pysaml2/commit/3b707723dcf1bf60677b424aac398c0c3557641d
Notes
CVE-2021-21238 created at 21 Jan 2021 18:08:16