Miggo Logo
Miggo Vulnerability Database
CVE-2017-1000246

CVE-2017-1000246: Pysaml2 improperly initializes encryption vector

5.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-1000246
GHSA ID
GHSA-cq94-qf6q-mf2h
EPSS Score
0.32179%
CWE
CWE-330
Published
7/16/2018
Updated
10/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pysaml2pip< 4.6.04.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from IV reuse in AES encryption. The commit diff shows the AESCipher class previously allowed static IV storage via init and reused it in build_cipher/encrypt. The patched version removed IV storage and enforced fresh IV generation. The IDP server's use of a persistent AESCipher instance with a fixed IV (via symkey/iv initialization in server.py and authn.py) would trigger this reuse. The functions directly handling IV management (init, build_cipher, encrypt) are the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pyt*on p**k*** pys*ml* v*rsion *.*.* *n* **rli*r r*us*s t** initi*liz*tion v**tor **ross *n*ryptions in t** I*P s*rv*r, r*sultin* in w**k *n*ryption o* **t*.

Reasoning

T** vuln*r**ility st*mm** *rom IV r*us* in **S *n*ryption. T** *ommit *i** s*ows t** **S*ip**r *l*ss pr*viously *llow** st*ti* IV stor*** vi* __init__ *n* r*us** it in *uil*_*ip**r/*n*rypt. T** p*t**** v*rsion r*mov** IV stor*** *n* *n*or*** *r*s* IV