VulnerableCode Package Details - pkg:maven/org.opensaml/opensaml@2.6.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-2r1u-v64e-jbbw Aliases: CVE-2014-3603 GHSA-rm7v-gqfg-p2wc	Improper Validation of Certificate with Host Mismatch The (1) `HttpResource` and (2) `FileBackedHttpResource` implementations in OpenSAML do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or `subjectAltName` field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.	2.6.2 Affected by 0 other vulnerabilities. 2.6.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-grv5-69mv-5fdr Aliases: CVE-2015-1796 GHSA-78fq-w796-q537	Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.	2.6.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2r1u-v64e-jbbw
Aliases:
CVE-2014-3603
GHSA-rm7v-gqfg-p2wc

Improper Validation of Certificate with Host Mismatch The (1) `HttpResource` and (2) `FileBackedHttpResource` implementations in OpenSAML do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or `subjectAltName` field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

2.6.2
Affected by 0 other vulnerabilities.

2.6.4
Affected by 1 other vulnerability.

VCID-grv5-69mv-5fdr
Aliases:
CVE-2015-1796
GHSA-78fq-w796-q537

Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

2.6.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-z9nz-nkff-kfez	XML eXternal Entity (XXE) flaw in ParserPool and Decrypter The `BasicParserPool`, `StaticBasicParserPool`, XML Decrypter, and SAML Decrypter in this package set the expandEntityReferences property to `true`, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.	CVE-2013-6440 GHSA-v723-58jv-2qc4

Vulnerability

Summary

Aliases

VCID-z9nz-nkff-kfez

XML eXternal Entity (XXE) flaw in ParserPool and Decrypter The `BasicParserPool`, `StaticBasicParserPool`, XML Decrypter, and SAML Decrypter in this package set the expandEntityReferences property to `true`, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

CVE-2013-6440
GHSA-v723-58jv-2qc4

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:52:29.618535+00:00	GitLab Importer	Affected by	VCID-grv5-69mv-5fdr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2015-1796.yml	38.4.0
2026-04-16T21:47:35.705323+00:00	GitLab Importer	Fixing	VCID-z9nz-nkff-kfez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2013-6440.yml	38.4.0
2026-04-16T20:53:20.223042+00:00	GitLab Importer	Affected by	VCID-2r1u-v64e-jbbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2014-3603.yml	38.4.0
2026-04-11T23:08:13.422264+00:00	GitLab Importer	Affected by	VCID-grv5-69mv-5fdr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2015-1796.yml	38.3.0
2026-04-11T23:03:26.059456+00:00	GitLab Importer	Fixing	VCID-z9nz-nkff-kfez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2013-6440.yml	38.3.0
2026-04-11T22:04:10.251070+00:00	GitLab Importer	Affected by	VCID-2r1u-v64e-jbbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2014-3603.yml	38.3.0
2026-04-02T23:16:43.638179+00:00	GitLab Importer	Affected by	VCID-grv5-69mv-5fdr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2015-1796.yml	38.1.0
2026-04-02T23:11:48.367026+00:00	GitLab Importer	Fixing	VCID-z9nz-nkff-kfez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2013-6440.yml	38.1.0
2026-04-02T22:17:09.449506+00:00	GitLab Importer	Affected by	VCID-2r1u-v64e-jbbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2014-3603.yml	38.1.0
2026-04-01T17:36:50.664008+00:00	GitLab Importer	Affected by	VCID-grv5-69mv-5fdr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2015-1796.yml	38.0.0
2026-04-01T16:00:51.840572+00:00	GHSA Importer	Fixing	VCID-z9nz-nkff-kfez	https://github.com/advisories/GHSA-v723-58jv-2qc4	38.0.0
2026-04-01T13:08:57.664547+00:00	GithubOSV Importer	Fixing	VCID-z9nz-nkff-kfez	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v723-58jv-2qc4/GHSA-v723-58jv-2qc4.json	38.0.0
2026-04-01T12:50:08.197950+00:00	GitLab Importer	Fixing	VCID-z9nz-nkff-kfez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2013-6440.yml	38.0.0
2026-04-01T12:48:23.406465+00:00	GitLab Importer	Affected by	VCID-2r1u-v64e-jbbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2014-3603.yml	38.0.0