Improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0.
Created python-pysaml2 tracking bugs for this issue:
Affects: epel-8 [bug 2007593]
Affects: fedora-all [bug 2007592]
Affects: openstack-rdo [bug 2007594]
Upstream fix: https://github.com/IdentityPython/pysaml2/commit/3b707723dcf1bf60677b424aac398c0c3557641d
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):