PYSEC-2018-48 — Vulnetix

PYSEC-2018-48 PUBLISHED

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

Affected Products

Vendor	Product	Versions
PyPI	pysaml2	4.0.0, 0, 0.4.3

Timeline

Jan 2, 2018 CVE Published
Nov 8, 2023 CVE Updated
May 1, 2026 Security Advisory

References

https://github.com/advisories/GHSA-924m-4pmx-c67h advisory
https://github.com/rohe/pysaml2/issues/451 discussion
https://security.gentoo.org/glsa/201801-11 advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html advisory

Open in Interactive Console →