Is OpenSaml 4.2.0 invulnerable to XSW attack?

Dimino, Gerlando gerlando.dimino at siemens.com
Tue Jun 7 09:32:46 UTC 2022 

Hi All,
I need to understand if the attack described in the following document https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91-8-23-12.pdf has been fixed in current OpenSaml version.

In the provided article they claim that OpenSaml is vulnerable to it and I know that  OpenSaml 3.3.0 is vulnerable to it.

Looking on the resolved and open issues I was not able to find any information regarding this.

Thanks in advance for any answer.

Gerlando Dimino.

-----------------
Siemens Industry Software, s.r.o.
Praha 4, Mezi vodami 2035/31, PS? 143 00
I? 256 51 897
Zapsan? v obchodn?m rejst??ku veden?m M?stsk?m soudem v Praze, odd?l C, vlo?ka 58222

D?le?it? upozorn?n?: Tato zpr?va m? jen informativn? charakter. Obsah t?to zpr?vy odes?latele nezavazuje a odes?latel nem? v ?myslu touto zpr?vou uzav??t smlouvu, p?ijmout nab?dku, potvrdit uzav?en? smlouvy ani nezakl?d? p?edsmluvn? odpov?dnost jej?ho odes?latele, leda?e je odes?latelem ve zpr?v? uvedeno v?slovn? jinak. Obsah t?to zpr?vy (v?etn? p??loh) je d?v?rn?. Pokud nejste zam??len?m adres?tem t?to zpr?vy, zp??stupn?n?, kop?rov?n?, distribuce nebo u?it? obsahu zpr?vy je p??sn? zak?z?no a v takov?m p??pad?, pros?m, okam?it? informujte odes?latele a pot? zpr?vu (v?. p??loh) odstra?te z Va?eho syst?mu.

Important Note: This message is only of informative nature. The content of this message shall not be binding for sender and sender does neither intend to conclude contract, accept offer or confirm the conclusion of the contract by this message nor this message represents pre-contractual liability of the sender, unless the sender states in the message excplicitly otherwise. The content of this message (including appendices) shall be confidential. Should you are not intended receiver of this message, any access, copying, distribution or use of the content of this message is strictly prohibited and in such case, please immediately notify the sender and subsequently delete the entire message (including apppendices) from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220607/320dd318/attachment.htm>

More information about the users mailing list