Vulnerabilities > CVE-2022-24129 - Server-Side Request Forgery (SSRF) vulnerability in Shibboleth Oidc OP

CVSS 8.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

shibboleth

CWE-918

NVD

Published: 2022-02-04

Updated: 2022-02-09

Summary

The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.

Vulnerable Configurations

Part	Description	Count
Application	Shibboleth Shibboleth Oidc OP 3.0.0 Shibboleth Oidc OP 3.0.1 Shibboleth Oidc OP 3.0.2 Shibboleth Oidc OP 3.0.3	4

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

http://shibboleth.net/community/advisories/
https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF
http://shibboleth.net/community/advisories/secadv_20220131.txt