{"id":"PYSEC-2021-48","details":"PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0.","aliases":["CVE-2021-21238","GHSA-f4g9-h89h-jgv9"],"modified":"2023-11-08T04:04:39.068101Z","published":"2021-01-21T15:15:00Z","references":[{"type":"PACKAGE","url":"https://pypi.org/project/pysaml2"},{"type":"WEB","url":"https://github.com/IdentityPython/pysaml2/releases/tag/v6.5.0"},{"type":"FIX","url":"https://github.com/IdentityPython/pysaml2/commit/1d8fd268f5bf887480a403a7a5ef8f048157cc14"},{"type":"ADVISORY","url":"https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-f4g9-h89h-jgv9"}],"affected":[{"package":{"name":"pysaml2","ecosystem":"PyPI","purl":"pkg:pypi/pysaml2"},"ranges":[{"type":"GIT","repo":"https://github.com/IdentityPython/pysaml2","events":[{"introduced":"0"},{"fixed":"1d8fd268f5bf887480a403a7a5ef8f048157cc14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.5.0"}]}],"versions":["0.4.3","1.0.1","1.0.2","1.0.3","1.1.0","2.0.0","2.1.0","2.2.0","2.3.0","2.4.0","3.0.0","3.0.2","4.0.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0.5rc1","4.0.5","4.1.0","4.2.0","4.3.0","4.4.0","4.5.0","4.6.0","4.6.1","4.6.2","4.6.3","4.6.4","4.6.5","4.7.0","4.8.0","4.9.0","5.0.0","5.1.0","5.2.0","5.3.0","5.4.0","6.0.0","6.1.0","6.2.0","6.3.0","6.3.1","6.4.0","6.4.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2021-48.yaml"}}],"schema_version":"1.7.3"}