EIQ-2020-0003



ID

EIQ-2020-0003

CVE

CVE-2020-5390

Description

PySAML2 before 5.0.0 is vulnerable to XML Signature Wrapping (XSW) vulnerability

Date

03 Feb 2020

Severity

3 - HIGH

CVSSv3 score

7.5

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.7.0

Assessment

A SAML document can consist of several elements that can be linked together. It is possible to create a document where data inside the signed element of a document refers to information
inside the same document but outside the signed element. This specifically affects the verification of signed security-token assertions.

Mitigation

Upgrade to EclecticIQ Platform 2.7.0 or later.

Affected versions

2.6.0 and earlier.

Notes

For more information, see

< Back to all security issues and mitigation actions

In release notes 2.7.0