CVE-2017-1000246: Pysaml2 improperly initializes encryption vector
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32179%
CWE
Published
7/16/2018
Updated
10/14/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
pysaml2 | pip | < 4.6.0 | 4.6.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from IV reuse in AES encryption. The commit diff shows the AESCipher class previously allowed static IV storage via init and reused it in build_cipher/encrypt. The patched version removed IV storage and enforced fresh IV generation. The IDP server's use of a persistent AESCipher instance with a fixed IV (via symkey/iv initialization in server.py and authn.py) would trigger this reuse. The functions directly handling IV management (init, build_cipher, encrypt) are the root cause.