Miggo Logo

CVE-2017-1000246: Pysaml2 improperly initializes encryption vector

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.32179%
Published
7/16/2018
Updated
10/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pysaml2pip< 4.6.04.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from IV reuse in AES encryption. The commit diff shows the AESCipher class previously allowed static IV storage via init and reused it in build_cipher/encrypt. The patched version removed IV storage and enforced fresh IV generation. The IDP server's use of a persistent AESCipher instance with a fixed IV (via symkey/iv initialization in server.py and authn.py) would trigger this reuse. The functions directly handling IV management (init, build_cipher, encrypt) are the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pyt*on p**k*** pys*ml* v*rsion *.*.* *n* **rli*r r*us*s t** initi*liz*tion v**tor **ross *n*ryptions in t** I*P s*rv*r, r*sultin* in w**k *n*ryption o* **t*.

Reasoning

T** vuln*r**ility st*mm** *rom IV r*us* in **S *n*ryption. T** *ommit *i** s*ows t** **S*ip**r *l*ss pr*viously *llow** st*ti* IV stor*** vi* __init__ *n* r*us** it in *uil*_*ip**r/*n*rypt. T** p*t**** v*rsion r*mov** IV stor*** *n* *n*or*** *r*s* IV