EIQ-2021-0003#

ID	EIQ-2021-0003
CVE	CVE-2021-21238 CVE-2021-21239
Description	PySAML2 improper verification of cryptographic signature
Date	25 Jan 2021
Severity	2 - MEDIUM
CVSSv3 score	6.5
Status	✅ 2.10.0
Assessment	PySAML2 is a Python implementation of the SAML Version 2 Standard. PySAML2 versions 6.4.1 and earlier perform cryptographic signature validation improperly. By default, PySAML2 does not validate the SAML document against an XML schema. By presenting elements with a valid signature inside elements with invalid or malformed content, it is possible to mislead the verification process into accepting invalid XML documents. CryptoBackendXmlSec1 relies on xmlsec1 to perform document verification. However, instead of validating every signature in the given document, xmlsec1 checks and validates only the first it finds within the given scope.
Mitigation	xmlsec1 needs to be explicitly configured to use only X.509 certificates to verify the SAML document signature. PySAML2 6.5.0 addresses this vulnerability.
Affected versions	2.9.1 and earlier.
Notes	For more information, see CVE-2021-21238 on mitre.org CVE-2021-21239 on mitre.org CWE-20: Improper Input Validation CWE-453: Insecure Default Variable Initialization SNYK-PYTHON-PYSAML2-1063039 SNYK-PYTHON-PYSAML2-1063038 Processing of invalid SAML XML documents (GitHub security issue) Unspecified xmlsec1 key-type preference (GitHub security issue) GitHub commit with the fix GitHub commit with the fix GitHub commit with the fix GitHub commit with the fix