CVE-2017-1000433: Known moderate severity security vulnerability detected in pysaml2 <= 4.5.0
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| StarlingX |
Won't Fix
|
Low
|
Ken Young | ||
Bug Description
Title
-----
CVE-2017-1000433: GitHub Scans Reveals Potential CVE with pysaml2
Brief Description
-----------------
Automated github scanning of the starling x keystone package based on OpenStack Pike release. Specifically, the notification stated:
We found a potential security vulnerability in a repository for which you have been granted security alert access.
@starlingx-staging starlingx-
Known moderate severity security vulnerability detected in pysaml2 <= 4.5.0 defined in requirements.txt.
Severity
--------
Provide the severity of the defect.
<Minor: System/Feature is usable with minor issue>
Steps to Reproduce
------------------
N/A
Expected Behavior
------------------
N/A
Actual Behavior
----------------
N/A
Reproducibility
---------------
N/A
System Configuration
-------
This potential issue affects keystone so all configurations may be impacted.
Branch/Pull Time/Commit
-------
Master
Timestamp/Logs
--------------
N/A
CVE References
| Ken Young (kenyis) wrote | #1 |
| information type: | Private → Private Security |
| Changed in starlingx: | |
| status: | New → Won't Fix |
| importance: | Undecided → Low |
| information type: | Private Security → Public Security |
This is regarding CVE-2017-1000433 which has a base score of 6.8 and a very low impact:
https:/
Red Hat has decided not to fix this:
https:/
Although the affected code is present in shipped packages, python-pysaml2 is included only as a dependency of other packages. The affected code cannot be reached in any supported configuration of Red Hat OpenStack Platform.