Is OpenSaml 4.2.0 invulnerable to XSW attack?

Dimino, Gerlando gerlando.dimino at
Tue Jun 7 10:47:34 UTC 2022

Looking on the information you sent me I see that this vulnerability was closed long time ago, so I'll inspect more about it and let you know.

From: users <users-bounces at> On Behalf Of Ian Young
Sent: Tuesday, June 7, 2022 12:33 PM
To: Shib Users <users at>
Subject: Re: Is OpenSaml 4.2.0 invulnerable to XSW attack?

On 2022-06-07, at 11:29, Ian Young <ian at<mailto:ian at>> wrote:

On 2022-06-07, at 10:32, Dimino, Gerlando via users <users at<mailto:users at>> wrote:

In the provided article they claim that OpenSaml is vulnerable to it and I know that  OpenSaml 3.3.0 is vulnerable to it.

Looking on the resolved and open issues I was not able to find any information regarding this.

You say that you know OpenSAML 3.3.0 is vulnerable to this, but I'd be interested to know why you think that is the case.

The paper dates to work done in 2011, and the Shibboleth advisory was later that year referencing Shibboleth IdP *2*.3.2. You're not finding that in the V3 documentation because it was well before that, unless I'm confused.

    -- Ian

Here's the (archived) advisories page for the V2 products:

    -- Ian

Siemens Industry Software, s.r.o.
Praha 4, Mezi vodami 2035/31, PS? 143 00
I? 256 51 897
Zapsan? v obchodn?m rejst??ku veden?m M?stsk?m soudem v Praze, odd?l C, vlo?ka 58222

D?le?it? upozorn?n?: Tato zpr?va m? jen informativn? charakter. Obsah t?to zpr?vy odes?latele nezavazuje a odes?latel nem? v ?myslu touto zpr?vou uzav??t smlouvu, p?ijmout nab?dku, potvrdit uzav?en? smlouvy ani nezakl?d? p?edsmluvn? odpov?dnost jej?ho odes?latele, leda?e je odes?latelem ve zpr?v? uvedeno v?slovn? jinak. Obsah t?to zpr?vy (v?etn? p??loh) je d?v?rn?. Pokud nejste zam??len?m adres?tem t?to zpr?vy, zp??stupn?n?, kop?rov?n?, distribuce nebo u?it? obsahu zpr?vy je p??sn? zak?z?no a v takov?m p??pad?, pros?m, okam?it? informujte odes?latele a pot? zpr?vu (v?. p??loh) odstra?te z Va?eho syst?mu.

Important Note: This message is only of informative nature. The content of this message shall not be binding for sender and sender does neither intend to conclude contract, accept offer or confirm the conclusion of the contract by this message nor this message represents pre-contractual liability of the sender, unless the sender states in the message excplicitly otherwise. The content of this message (including appendices) shall be confidential. Should you are not intended receiver of this message, any access, copying, distribution or use of the content of this message is strictly prohibited and in such case, please immediately notify the sender and subsequently delete the entire message (including apppendices) from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list