EIQ-2021-0003

EIQ-2021-0003

CVE-2021-21238

CVE-2021-21239

PySAML2 improper verification of cryptographic signature

25 Jan 2021

2 - MEDIUM

6.5

6.5

Planned for 2.10.0

PySAML2 is a Python implementation of the SAML Version 2 Standard.
PySAML2 versions 6.4.1 and earlier perform cryptographic signature validation improperly.

By default, PySAML2 does not validate the SAML document against an XML schema.
By presenting elements with a valid signature inside elements with invalid or malformed content, it is possible to mislead the verification process into accepting invalid XML documents.
CryptoBackendXmlSec1 relies on xmlsec1 to perform document verification. However, instead of validating every signature in the given document, xmlsec1 checks and validates only the first it finds within the given scope.

xmlsec1 needs to be explicitly configured to use only X.509 certificates to verify the SAML document signature.

PySAML2 6.5.0 addresses this vulnerability.

2.9.1 and earlier.

For more information, see

• CVE-2021-21238 on mitre.org

• CVE-2021-21239 on mitre.org

• CWE-20: Improper Input Validation

• CWE-453: Insecure Default Variable Initialization

• SNYK-PYTHON-PYSAML2-1063039

• SNYK-PYTHON-PYSAML2-1063038

• Processing of invalid SAML XML documents (GitHub security issue)

• Unspecified xmlsec1 key-type preference (GitHub security issue)

• GitHub commit with the fix

• GitHub commit with the fix

• GitHub commit with the fix

• GitHub commit with the fix

   This section is not visible to users accessing the public docs, it's for internal reference   

See also:

• not fixed in 2.9.2. [email protected]: requirements/requirements-prod.txt:100:pysaml2==5.0.0 

• Slack convo in the engineering-release channel

• Slack convo in the psirt-ops channel