{"id":"PYSEC-2018-48","details":"pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.","aliases":["CVE-2017-1000433","GHSA-924m-4pmx-c67h"],"modified":"2023-11-08T03:58:46.488294Z","published":"2018-01-02T23:29:00Z","references":[{"type":"REPORT","url":"https://github.com/rohe/pysaml2/issues/451"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201801-11"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00000.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-924m-4pmx-c67h"}],"affected":[{"package":{"name":"pysaml2","ecosystem":"PyPI","purl":"pkg:pypi/pysaml2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.5.0"}]}],"versions":["0.4.3","1.0.1","1.0.2","1.0.3","1.1.0","2.0.0","2.1.0","2.2.0","2.3.0","2.4.0","3.0.0","3.0.2","4.0.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0.5","4.0.5rc1","4.1.0","4.2.0","4.3.0","4.4.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2018-48.yaml"}}],"schema_version":"1.7.3"}