CVE-2017-11427
Python-saml allows manipulation of SAML data without invalidation of cryptographic signature
7.7
HIGH
CVSS 3.1
EPSS 3.4%
Description
OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
How to fix CVE-2017-11427
To remediate CVE-2017-11427, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.0 or later
- —upgrade to 2.4.0 or later
Is CVE-2017-11427 being exploited?
Low — EPSS is 3.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.4.0
- from 0, < 2.4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |