CVE-2015-5301: Ipsilon denial of service by deleting a SAML2 Service Provider (SP)
5.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.71517%
CWE
-
Published
5/17/2022
Updated
11/22/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
AV:N/AC:L/Au:S/C:N/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ipsilon | pip | >= 0.1.0, < 1.0.2 | 1.0.2 |
ipsilon | pip | >= 1.1.0, < 1.1.1 | 1.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The vulnerability description explicitly mentions providers/saml2/admin.py as the vulnerable component.
- The Red Hat Bugzilla report references line 309 of this file as the vulnerable code location.
- The upstream patch adds a permission check for 'admin' role before deletion, confirming the original code lacked authorization checks.
- While the exact function name isn't explicitly stated, the context indicates it's the SP deletion handler in the admin interface.
- The CWE-264 mapping (Permissions/Privileges) aligns with missing authorization checks in a deletion operation.