VulnerableCode Package Details - pkg:maven/org.opensaml/opensaml@2.5.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-62wd-n7yf-eqct Aliases: CVE-2014-3603 GHSA-rm7v-gqfg-p2wc	Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.	2.6.2 Affected by 0 other vulnerabilities. 2.6.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-s43c-w92c-dyag Aliases: CVE-2015-1796 GHSA-78fq-w796-q537	Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.	2.6.5 Affected by 0 other vulnerabilities.
VCID-v6hn-ktd8-n7an Aliases: CVE-2013-6440 GHSA-v723-58jv-2qc4	Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.	2.6.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-62wd-n7yf-eqct
Aliases:
CVE-2014-3603
GHSA-rm7v-gqfg-p2wc

Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

2.6.2
Affected by 0 other vulnerabilities.

2.6.4
Affected by 1 other vulnerability.

VCID-s43c-w92c-dyag
Aliases:
CVE-2015-1796
GHSA-78fq-w796-q537

Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

2.6.5
Affected by 0 other vulnerabilities.

VCID-v6hn-ktd8-n7an
Aliases:
CVE-2013-6440
GHSA-v723-58jv-2qc4

Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

2.6.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-30T05:19:55.108992+00:00	GitLab Importer	Affected by	VCID-s43c-w92c-dyag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2015-1796.yml	38.6.0
2026-05-30T05:13:56.236463+00:00	GitLab Importer	Affected by	VCID-v6hn-ktd8-n7an	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2013-6440.yml	38.6.0
2026-05-30T04:03:09.949198+00:00	GitLab Importer	Affected by	VCID-62wd-n7yf-eqct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opensaml/opensaml/CVE-2014-3603.yml	38.6.0