CVE-2017-1000433: Known moderate severity security vulnerability detected in pysaml2 <= 4.5.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Won't Fix
|
Low
|
Ken Young |
Bug Description
Title
-----
CVE-2017-1000433: GitHub Scans Reveals Potential CVE with pysaml2
Brief Description
-----------------
Automated github scanning of the starling x keystone package based on OpenStack Pike release. Specifically, the notification stated:
We found a potential security vulnerability in a repository for which you have been granted security alert access.
@starlingx-staging starlingx-
Known moderate severity security vulnerability detected in pysaml2 <= 4.5.0 defined in requirements.txt.
Severity
--------
Provide the severity of the defect.
<Minor: System/Feature is usable with minor issue>
Steps to Reproduce
------------------
N/A
Expected Behavior
------------------
N/A
Actual Behavior
----------------
N/A
Reproducibility
---------------
N/A
System Configuration
-------
This potential issue affects keystone so all configurations may be impacted.
Branch/Pull Time/Commit
-------
Master
Timestamp/Logs
--------------
N/A
CVE References
information type: | Private → Private Security |
Changed in starlingx: | |
status: | New → Won't Fix |
importance: | Undecided → Low |
information type: | Private Security → Public Security |
This is regarding CVE-2017-1000433 which has a base score of 6.8 and a very low impact:
https:/ /nvd.nist. gov/vuln/ detail/ CVE-2017- 1000433
Red Hat has decided not to fix this:
https:/ /access. redhat. com/security/ cve/cve- 2017-1000433
Although the affected code is present in shipped packages, python-pysaml2 is included only as a dependency of other packages. The affected code cannot be reached in any supported configuration of Red Hat OpenStack Platform.