CVE-2021-21239

Description

### Impact All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not ensure that a signed SAML document is correctly signed. The default `CryptoBackendXmlSec1` backend is using the `xmlsec1` binary to verify the signature of signed SAML documents, but by default, `xmlsec1` accepts any type of key found within the given document. `xmlsec1` needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. ### Patches Users should upgrade to pysaml2 `v6.5.0`. ### Workarounds No workaround provided at this point. ### References This issue has been reported in the past at the xmlsec1 mailing list: https://www.aleksey.com/pipermail/xmlsec/2013/009717.html ### Credits - Brian Wolff ### For more information If you have any questions or comments about this advisory: * Open an issue in [pysaml2](https://github.com/IdentityPython/pysaml2) * Email us at [the incident-response address](mailto:[email protected])

Affected packages (3)

• Debian/python-pysaml2from 0, < 6.5.1-1
• PyPI/pysaml2from 0, < 6.5.0
• PyPI/pysaml2from 0, < 46578df0695269a16f1c94171f1429873f90ed99 | from 0, < 6.5.0

CVSS scores

References (10)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21239
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-21239
• PATCHhttps://github.com/IdentityPython/pysaml2
• WEBhttps://github.com/IdentityPython/pysaml2/commit/46578df0695269a16f1c94171f1429873f90ed99
• WEBhttps://github.com/IdentityPython/pysaml2/releases/tag/v6.5.0
• WEBhttps://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62
• WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pysaml2/PYSEC-2021-49.yaml
• WEBhttps://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
• WEBhttps://pypi.org/project/pysaml2
• WEBhttps://www.aleksey.com/pipermail/xmlsec/2013/009717.html