Is OpenSaml 4.2.0 invulnerable to XSW attack?

Ian Young ian at
Tue Jun 7 10:29:50 UTC 2022

> On 2022-06-07, at 10:32, Dimino, Gerlando via users <users at> wrote:
> In the provided article they claim that OpenSaml is vulnerable to it and I know that  OpenSaml 3.3.0 is vulnerable to it.
> Looking on the resolved and open issues I was not able to find any information regarding this.

You say that you know OpenSAML 3.3.0 is vulnerable to this, but I'd be interested to know why you think that is the case.

The paper dates to work done in 2011, and the Shibboleth advisory was later that year referencing Shibboleth IdP *2*.3.2. You're not finding that in the V3 documentation because it was well before that, unless I'm confused.

    -- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3883 bytes
Desc: not available
URL: <>

More information about the users mailing list