csaf_suse - suse-su-2021:0048-1

SUSE-SU-2021:0048-1

Vulnerability from csaf_suse - Published: 2021-01-08 12:37 - Updated: 2021-01-08 12:37

Summary

Security update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec

Notes

Title of the patch

Security update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec

Description of the patch

This update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec fixes the following issues: - Update to 0.6.0 - Increase test coverage. - Add badges to README. - Test on Python 3.7 stable and 3.8-dev - Drop support for Python 3.4 - No longer pass *html* argument to XMLParse. It has been deprecated and ignored for a long time. The DefusedXMLParser still takes a html argument. A deprecation warning is issued when the argument is False and a TypeError when it's True. - defusedxml now fails early when pyexpat stdlib module is not available or broken. - defusedxml.ElementTree.__all__ now lists ParseError as public attribute. - The defusedxml.ElementTree and defusedxml.cElementTree modules had a typo and used XMLParse instead of XMLParser as an alias for DefusedXMLParser. Both the old and fixed name are now available. - Remove superfluous devel dependency for noarch package - Update to 5.0 * Add compatibility with Python 3.6 * Drop support for Python 2.6, 3.1, 3.2, 3.3 * Fix lxml tests (XMLSyntaxError: Detected an entity reference loop) - Implement single-spec version. - Dummy changelog for bsc#1019074, FATE#322329 - Add dependency on the full python (which is not pulled by setuptools anymore). Use %{pythons} macro now. (bsc#1177200) - Upgrade to 0.3.12: * Refactor classes to functions * Ignore Selenium * Move to pytest * Conditionally patch time.clock (removed in 3.8) * Patch time.time_ns added in Python 3.7 - Do not require python2 module for building python3 module - Update to 0.3.11: * Performance improvements * Fix nesting time.time * Add nanosecond property - Remove superfluous devel dependency for noarch package - Add remove_dependency_on_mock.patch which removes dependency on python-mock for Python 3, where it is not required. - update to 0.3.10 * Performance improvements * Coroutine support - update to version 0.3.9 * If no time to be frozen, use current time * Fix uuid1 issues * Add support for python 3.6 update to version 0.3.8 * Improved unpatching when importing modules after freeze_time start() * Add manual increment via tick method * Fix bug with time.localtime not being reset. Closes #112. * Fix test to work when current timezone is GMT-14 or GMT+14. * Fixed #162 - allow decorating old-style classes. * Add support to PyMySQL * Assume the default time to freeze is 'now'. * Register fake types in PyMySQL conversions * Ignore threading and Queue modules. Closes #129. * Lock down coverage version since new coverage doesnt support py3.2 * Fix or py3 astimezone and not passing tz. Closes #138. * Add note about deafult arguments. Closes #140. * Add license info. Closes #120. - Update to 0.3.5 * No upstream changelog - Remove unneeded freeze_hideDeps.patch - Use download Url as source - Use tarball provided by pypi - update to 1.5.1 * Use poetry instead of setuptools directly * Fix #42: raise exception if package is missing * Fix version parsing for openssl-like version numbers, fixes #32 * Add boolean static keyword to output private libraries as well * Raise original OSError as well - Add missing test dependency pkgconfig

Patchnames

SUSE-2021-48,SUSE-Storage-6-2021-48

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec fixes the following issues:\n\n\n- Update to 0.6.0\n  - Increase test coverage.\n  - Add badges to README.\n  - Test on Python 3.7 stable and 3.8-dev\n  - Drop support for Python 3.4\n  - No longer pass *html* argument to XMLParse. It has been deprecated and\n    ignored for a long time. The DefusedXMLParser still takes a html argument.\n    A deprecation warning is issued when the argument is False and a TypeError\n    when it\u0027s True.\n  - defusedxml now fails early when pyexpat stdlib module is not available or\n    broken.\n  - defusedxml.ElementTree.__all__ now lists ParseError as public attribute.\n  - The defusedxml.ElementTree and defusedxml.cElementTree modules had a typo\n    and used XMLParse instead of XMLParser as an alias for DefusedXMLParser.\n    Both the old and fixed name are now available.\n\n- Remove superfluous devel dependency for noarch package\n\n- Update to 5.0\n  * Add compatibility with Python 3.6\n  * Drop support for Python 2.6, 3.1, 3.2, 3.3\n  * Fix lxml tests (XMLSyntaxError: Detected an entity reference loop)\n- Implement single-spec version.\n\n- Dummy changelog for bsc#1019074, FATE#322329\n\n- Add dependency on the full python (which is not pulled by\n  setuptools anymore). Use %{pythons} macro now. (bsc#1177200)\n\n- Upgrade to 0.3.12:\n  * Refactor classes to functions\n  * Ignore Selenium\n  * Move to pytest\n  * Conditionally patch time.clock (removed in 3.8)\n  * Patch time.time_ns added in Python 3.7\n\n- Do not require python2 module for building python3 module\n\n- Update to 0.3.11:\n    * Performance improvements\n    * Fix nesting time.time\n    * Add nanosecond property\n\n- Remove superfluous devel dependency for noarch package\n\n- Add remove_dependency_on_mock.patch which removes dependency on\n  python-mock for Python 3, where it is not required.\n\n- update to 0.3.10 \n * Performance improvements\n * Coroutine support\n\n- update to version 0.3.9\n  * If no time to be frozen, use current time\n  * Fix uuid1 issues\n  * Add support for python 3.6\n\nupdate to version 0.3.8\n  * Improved unpatching when importing modules after freeze_time start()\n  * Add manual increment via tick method\n  * Fix bug with time.localtime not being reset. Closes #112.\n  * Fix test to work when current timezone is GMT-14 or GMT+14.\n  * Fixed #162 - allow decorating old-style classes.\n  * Add support to PyMySQL\n  * Assume the default time to freeze is \u0027now\u0027.\n  * Register fake types in PyMySQL conversions\n  * Ignore threading and Queue modules. Closes #129.\n  * Lock down coverage version since new coverage doesnt support py3.2\n  * Fix or py3 astimezone and not passing tz. Closes #138.\n  * Add note about deafult arguments. Closes #140.\n  * Add license info. Closes #120.\n\n- Update to 0.3.5\n  * No upstream changelog\n- Remove unneeded freeze_hideDeps.patch\n\n- Use download Url as source\n- Use tarball provided by pypi\n\n- update to 1.5.1\n  * Use poetry instead of setuptools directly\n  * Fix #42: raise exception if package is missing\n  * Fix version parsing for openssl-like version numbers, fixes #32\n  * Add boolean static keyword to output private libraries as well\n  * Raise original OSError as well\n\n- Add missing test dependency pkgconfig\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2021-48,SUSE-Storage-6-2021-48",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_0048-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2021:0048-1",
        "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20210048-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2021:0048-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-January/008165.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1019074",
        "url": "https://bugzilla.suse.com/1019074"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1041090",
        "url": "https://bugzilla.suse.com/1041090"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1177200",
        "url": "https://bugzilla.suse.com/1177200"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2017-11427 page",
        "url": "https://www.suse.com/security/cve/CVE-2017-11427/"
      }
    ],
    "title": "Security update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec",
    "tracking": {
      "current_release_date": "2021-01-08T12:37:58Z",
      "generator": {
        "date": "2021-01-08T12:37:58Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2021:0048-1",
      "initial_release_date": "2021-01-08T12:37:58Z",
      "revision_history": [
        {
          "date": "2021-01-08T12:37:58Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-xmlsec-1.3.6-1.5.1.aarch64",
                "product": {
                  "name": "python2-xmlsec-1.3.6-1.5.1.aarch64",
                  "product_id": "python2-xmlsec-1.3.6-1.5.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-xmlsec-1.3.6-1.5.1.aarch64",
                "product": {
                  "name": "python3-xmlsec-1.3.6-1.5.1.aarch64",
                  "product_id": "python3-xmlsec-1.3.6-1.5.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-defusedxml-0.6.0-1.5.1.noarch",
                "product": {
                  "name": "python2-defusedxml-0.6.0-1.5.1.noarch",
                  "product_id": "python2-defusedxml-0.6.0-1.5.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python2-freezegun-0.3.12-1.5.1.noarch",
                "product": {
                  "name": "python2-freezegun-0.3.12-1.5.1.noarch",
                  "product_id": "python2-freezegun-0.3.12-1.5.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python2-isodate-0.6.0-1.3.2.noarch",
                "product": {
                  "name": "python2-isodate-0.6.0-1.3.2.noarch",
                  "product_id": "python2-isodate-0.6.0-1.3.2.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python2-pkgconfig-1.5.1-1.5.1.noarch",
                "product": {
                  "name": "python2-pkgconfig-1.5.1-1.5.1.noarch",
                  "product_id": "python2-pkgconfig-1.5.1-1.5.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python2-python3-saml-1.9.0-1.5.2.noarch",
                "product": {
                  "name": "python2-python3-saml-1.9.0-1.5.2.noarch",
                  "product_id": "python2-python3-saml-1.9.0-1.5.2.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-defusedxml-0.6.0-1.5.1.noarch",
                "product": {
                  "name": "python3-defusedxml-0.6.0-1.5.1.noarch",
                  "product_id": "python3-defusedxml-0.6.0-1.5.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-freezegun-0.3.12-1.5.1.noarch",
                "product": {
                  "name": "python3-freezegun-0.3.12-1.5.1.noarch",
                  "product_id": "python3-freezegun-0.3.12-1.5.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-isodate-0.6.0-1.3.2.noarch",
                "product": {
                  "name": "python3-isodate-0.6.0-1.3.2.noarch",
                  "product_id": "python3-isodate-0.6.0-1.3.2.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-pkgconfig-1.5.1-1.5.1.noarch",
                "product": {
                  "name": "python3-pkgconfig-1.5.1-1.5.1.noarch",
                  "product_id": "python3-pkgconfig-1.5.1-1.5.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-python3-saml-1.9.0-1.5.2.noarch",
                "product": {
                  "name": "python3-python3-saml-1.9.0-1.5.2.noarch",
                  "product_id": "python3-python3-saml-1.9.0-1.5.2.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-xmlsec-1.3.6-1.5.1.x86_64",
                "product": {
                  "name": "python2-xmlsec-1.3.6-1.5.1.x86_64",
                  "product_id": "python2-xmlsec-1.3.6-1.5.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-xmlsec-1.3.6-1.5.1.x86_64",
                "product": {
                  "name": "python3-xmlsec-1.3.6-1.5.1.x86_64",
                  "product_id": "python3-xmlsec-1.3.6-1.5.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Enterprise Storage 6",
                "product": {
                  "name": "SUSE Enterprise Storage 6",
                  "product_id": "SUSE Enterprise Storage 6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:ses:6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-defusedxml-0.6.0-1.5.1.noarch as component of SUSE Enterprise Storage 6",
          "product_id": "SUSE Enterprise Storage 6:python3-defusedxml-0.6.0-1.5.1.noarch"
        },
        "product_reference": "python3-defusedxml-0.6.0-1.5.1.noarch",
        "relates_to_product_reference": "SUSE Enterprise Storage 6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-freezegun-0.3.12-1.5.1.noarch as component of SUSE Enterprise Storage 6",
          "product_id": "SUSE Enterprise Storage 6:python3-freezegun-0.3.12-1.5.1.noarch"
        },
        "product_reference": "python3-freezegun-0.3.12-1.5.1.noarch",
        "relates_to_product_reference": "SUSE Enterprise Storage 6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-isodate-0.6.0-1.3.2.noarch as component of SUSE Enterprise Storage 6",
          "product_id": "SUSE Enterprise Storage 6:python3-isodate-0.6.0-1.3.2.noarch"
        },
        "product_reference": "python3-isodate-0.6.0-1.3.2.noarch",
        "relates_to_product_reference": "SUSE Enterprise Storage 6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-pkgconfig-1.5.1-1.5.1.noarch as component of SUSE Enterprise Storage 6",
          "product_id": "SUSE Enterprise Storage 6:python3-pkgconfig-1.5.1-1.5.1.noarch"
        },
        "product_reference": "python3-pkgconfig-1.5.1-1.5.1.noarch",
        "relates_to_product_reference": "SUSE Enterprise Storage 6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-python3-saml-1.9.0-1.5.2.noarch as component of SUSE Enterprise Storage 6",
          "product_id": "SUSE Enterprise Storage 6:python3-python3-saml-1.9.0-1.5.2.noarch"
        },
        "product_reference": "python3-python3-saml-1.9.0-1.5.2.noarch",
        "relates_to_product_reference": "SUSE Enterprise Storage 6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-xmlsec-1.3.6-1.5.1.aarch64 as component of SUSE Enterprise Storage 6",
          "product_id": "SUSE Enterprise Storage 6:python3-xmlsec-1.3.6-1.5.1.aarch64"
        },
        "product_reference": "python3-xmlsec-1.3.6-1.5.1.aarch64",
        "relates_to_product_reference": "SUSE Enterprise Storage 6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-xmlsec-1.3.6-1.5.1.x86_64 as component of SUSE Enterprise Storage 6",
          "product_id": "SUSE Enterprise Storage 6:python3-xmlsec-1.3.6-1.5.1.x86_64"
        },
        "product_reference": "python3-xmlsec-1.3.6-1.5.1.x86_64",
        "relates_to_product_reference": "SUSE Enterprise Storage 6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-11427",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2017-11427"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 6:python3-defusedxml-0.6.0-1.5.1.noarch",
          "SUSE Enterprise Storage 6:python3-freezegun-0.3.12-1.5.1.noarch",
          "SUSE Enterprise Storage 6:python3-isodate-0.6.0-1.3.2.noarch",
          "SUSE Enterprise Storage 6:python3-pkgconfig-1.5.1-1.5.1.noarch",
          "SUSE Enterprise Storage 6:python3-python3-saml-1.9.0-1.5.2.noarch",
          "SUSE Enterprise Storage 6:python3-xmlsec-1.3.6-1.5.1.aarch64",
          "SUSE Enterprise Storage 6:python3-xmlsec-1.3.6-1.5.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2017-11427",
          "url": "https://www.suse.com/security/cve/CVE-2017-11427"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1180767 for CVE-2017-11427",
          "url": "https://bugzilla.suse.com/1180767"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 6:python3-defusedxml-0.6.0-1.5.1.noarch",
            "SUSE Enterprise Storage 6:python3-freezegun-0.3.12-1.5.1.noarch",
            "SUSE Enterprise Storage 6:python3-isodate-0.6.0-1.3.2.noarch",
            "SUSE Enterprise Storage 6:python3-pkgconfig-1.5.1-1.5.1.noarch",
            "SUSE Enterprise Storage 6:python3-python3-saml-1.9.0-1.5.2.noarch",
            "SUSE Enterprise Storage 6:python3-xmlsec-1.3.6-1.5.1.aarch64",
            "SUSE Enterprise Storage 6:python3-xmlsec-1.3.6-1.5.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 6:python3-defusedxml-0.6.0-1.5.1.noarch",
            "SUSE Enterprise Storage 6:python3-freezegun-0.3.12-1.5.1.noarch",
            "SUSE Enterprise Storage 6:python3-isodate-0.6.0-1.3.2.noarch",
            "SUSE Enterprise Storage 6:python3-pkgconfig-1.5.1-1.5.1.noarch",
            "SUSE Enterprise Storage 6:python3-python3-saml-1.9.0-1.5.2.noarch",
            "SUSE Enterprise Storage 6:python3-xmlsec-1.3.6-1.5.1.aarch64",
            "SUSE Enterprise Storage 6:python3-xmlsec-1.3.6-1.5.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2021-01-08T12:37:58Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2017-11427"
    }
  ]
}

CVE-2017-11427 (GCVE-0-2017-11427)

Vulnerability from cvelistv5 – Published: 2019-04-17 13:59 – Updated: 2024-08-05 18:12

Summary

OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Severity ?

7.7 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-287 - Improper Authentication

Assigner

duo

References

URL

Tags

	https://duo.com/blog/duo-finds-saml-vulnerabiliti…	x_refsource_MISC
	https://www.kb.cert.org/vuls/id/475445	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	OneLogin	PythonSAML	Affected: unspecified , < 2.3.0 (custom)

Credits

Kelby Ludwig of Duo Security

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:12:39.492Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/475445"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PythonSAML",
          "vendor": "OneLogin",
          "versions": [
            {
              "lessThan": "2.3.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Kelby Ludwig of Duo Security"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-17T13:59:19",
        "orgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
        "shortName": "duo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.kb.cert.org/vuls/id/475445"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": " Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@duo.com",
          "ID": "CVE-2017-11427",
          "STATE": "PUBLIC",
          "TITLE": " Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PythonSAML",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "2.3.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OneLogin"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Kelby Ludwig of Duo Security"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-287: Improper Authentication"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations",
              "refsource": "MISC",
              "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
            },
            {
              "name": "https://www.kb.cert.org/vuls/id/475445",
              "refsource": "MISC",
              "url": "https://www.kb.cert.org/vuls/id/475445"
            }
          ]
        },
        "source": {
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
    "assignerShortName": "duo",
    "cveId": "CVE-2017-11427",
    "datePublished": "2019-04-17T13:59:19",
    "dateReserved": "2017-07-18T00:00:00",
    "dateUpdated": "2024-08-05T18:12:39.492Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2021:0048-1

CVE-2017-11427 (GCVE-0-2017-11427)

Tags

Sightings

Nomenclature