VulnerableCode Package Details - pkg:pypi/pysaml2@2.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-7m3g-b22r-cbg8 Aliases: CVE-2016-10127 GHSA-m269-wj6g-c459 PYSEC-2017-67	PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.	4.5.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-b3d1-p855-67hd Aliases: CVE-2017-1000433 GHSA-924m-4pmx-c67h PYSEC-2018-48	pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.	4.5.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-h3ab-e8d2-wffv Aliases: CVE-2021-21238 GHSA-f4g9-h89h-jgv9 PYSEC-2021-48	signature forgery	6.5.0 Affected by 0 other vulnerabilities.
VCID-pf56-x34f-1kf6 Aliases: CVE-2017-1000246 GHSA-cq94-qf6q-mf2h PYSEC-2017-26	Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.	4.6.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ps4j-y76q-vbcg Aliases: CVE-2021-21239 GHSA-5p3x-r448-pc62 PYSEC-2021-49	signature forgery	6.5.0 Affected by 0 other vulnerabilities.
VCID-s4pt-8mt6-1qgg Aliases: GMS-2016-67	XEE vulnerability PySAML2 is vulnerable to XML External Entity attacks (XEE attacks) via SAML XML requests.	There are no reported fixed by versions.
VCID-t2t5-d2vj-uuff Aliases: CVE-2016-10149 GHSA-c2vx-49jm-h3f6 PYSEC-2017-25	XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.	4.5.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-t8v2-vzpj-9fgf Aliases: CVE-2020-5390 GHSA-qf7v-8hj3-4xw7 PYSEC-2020-94	PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.	5.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-7m3g-b22r-cbg8
Aliases:
CVE-2016-10127
GHSA-m269-wj6g-c459
PYSEC-2017-67

PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.

4.5.0
Affected by 4 other vulnerabilities.

VCID-b3d1-p855-67hd
Aliases:
CVE-2017-1000433
GHSA-924m-4pmx-c67h
PYSEC-2018-48

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

4.5.0
Affected by 4 other vulnerabilities.

VCID-h3ab-e8d2-wffv
Aliases:
CVE-2021-21238
GHSA-f4g9-h89h-jgv9
PYSEC-2021-48

signature forgery

6.5.0
Affected by 0 other vulnerabilities.

VCID-pf56-x34f-1kf6
Aliases:
CVE-2017-1000246
GHSA-cq94-qf6q-mf2h
PYSEC-2017-26

Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.

4.6.0
Affected by 3 other vulnerabilities.

VCID-ps4j-y76q-vbcg
Aliases:
CVE-2021-21239
GHSA-5p3x-r448-pc62
PYSEC-2021-49

signature forgery

6.5.0
Affected by 0 other vulnerabilities.

VCID-s4pt-8mt6-1qgg
Aliases:
GMS-2016-67

XEE vulnerability PySAML2 is vulnerable to XML External Entity attacks (XEE attacks) via SAML XML requests.

There are no reported fixed by versions.

VCID-t2t5-d2vj-uuff
Aliases:
CVE-2016-10149
GHSA-c2vx-49jm-h3f6
PYSEC-2017-25

XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.

4.5.0
Affected by 4 other vulnerabilities.

VCID-t8v2-vzpj-9fgf
Aliases:
CVE-2020-5390
GHSA-qf7v-8hj3-4xw7
PYSEC-2020-94

PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed.

5.0.0
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T15:08:24.320277+00:00	GHSA Importer	Affected by	VCID-7m3g-b22r-cbg8	https://github.com/advisories/GHSA-m269-wj6g-c459	38.6.0
2026-06-01T14:28:14.803729+00:00	GHSA Importer	Affected by	VCID-t8v2-vzpj-9fgf	https://github.com/advisories/GHSA-qf7v-8hj3-4xw7	38.6.0
2026-06-01T06:44:58.922248+00:00	GitLab Importer	Affected by	VCID-7m3g-b22r-cbg8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pysaml2/CVE-2016-10127.yml	38.6.0
2026-06-01T06:01:18.350033+00:00	GitLab Importer	Affected by	VCID-ps4j-y76q-vbcg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pysaml2/CVE-2021-21239.yml	38.6.0
2026-06-01T06:01:17.295457+00:00	GitLab Importer	Affected by	VCID-h3ab-e8d2-wffv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pysaml2/CVE-2021-21238.yml	38.6.0
2026-06-01T05:46:57.563590+00:00	GitLab Importer	Affected by	VCID-t8v2-vzpj-9fgf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pysaml2/CVE-2020-5390.yml	38.6.0
2026-05-31T09:58:10.997777+00:00	GHSA Importer	Affected by	VCID-pf56-x34f-1kf6	https://github.com/advisories/GHSA-cq94-qf6q-mf2h	38.6.0
2026-05-31T09:58:10.886804+00:00	GHSA Importer	Affected by	VCID-t2t5-d2vj-uuff	https://github.com/advisories/GHSA-c2vx-49jm-h3f6	38.6.0
2026-05-31T09:58:10.514195+00:00	GHSA Importer	Affected by	VCID-b3d1-p855-67hd	https://github.com/advisories/GHSA-924m-4pmx-c67h	38.6.0
2026-05-31T09:48:12.003084+00:00	GitLab Importer	Affected by	VCID-t2t5-d2vj-uuff	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pysaml2/CVE-2016-10149.yml	38.6.0
2026-05-31T09:48:11.902320+00:00	GitLab Importer	Affected by	VCID-pf56-x34f-1kf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pysaml2/CVE-2017-1000246.yml	38.6.0
2026-05-31T09:48:09.642146+00:00	GitLab Importer	Affected by	VCID-b3d1-p855-67hd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pysaml2/CVE-2017-1000433.yml	38.6.0
2026-05-31T09:39:04.474742+00:00	PyPI Importer	Affected by	VCID-h3ab-e8d2-wffv	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:39:04.368244+00:00	PyPI Importer	Affected by	VCID-ps4j-y76q-vbcg	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:37:50.940351+00:00	PyPI Importer	Affected by	VCID-t8v2-vzpj-9fgf	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:37:08.029195+00:00	PyPI Importer	Affected by	VCID-b3d1-p855-67hd	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:37:07.425870+00:00	PyPI Importer	Affected by	VCID-pf56-x34f-1kf6	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:36:57.565843+00:00	PyPI Importer	Affected by	VCID-t2t5-d2vj-uuff	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:36:55.270225+00:00	PyPI Importer	Affected by	VCID-7m3g-b22r-cbg8	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:36:14.395648+00:00	GitLab Importer	Affected by	VCID-s4pt-8mt6-1qgg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pysaml2/GMS-2016-67.yml	38.6.0
2026-05-30T20:21:02.594826+00:00	Pypa Importer	Affected by	VCID-ps4j-y76q-vbcg	https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2021-49.yaml	38.6.0
2026-05-30T20:21:02.367621+00:00	Pypa Importer	Affected by	VCID-h3ab-e8d2-wffv	https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2021-48.yaml	38.6.0
2026-05-30T20:18:44.346167+00:00	Pypa Importer	Affected by	VCID-t8v2-vzpj-9fgf	https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2020-94.yaml	38.6.0
2026-05-30T20:17:34.036729+00:00	Pypa Importer	Affected by	VCID-b3d1-p855-67hd	https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2018-48.yaml	38.6.0
2026-05-30T20:17:32.729419+00:00	Pypa Importer	Affected by	VCID-pf56-x34f-1kf6	https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2017-26.yaml	38.6.0
2026-05-30T20:17:12.197121+00:00	Pypa Importer	Affected by	VCID-t2t5-d2vj-uuff	https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2017-25.yaml	38.6.0
2026-05-30T20:17:07.559904+00:00	Pypa Importer	Affected by	VCID-7m3g-b22r-cbg8	https://github.com/pypa/advisory-database/blob/main/vulns/pysaml2/PYSEC-2017-67.yaml	38.6.0