Vulnerabilities > CVE-2022-24129 - Server-Side Request Forgery (SSRF) vulnerability in Shibboleth Oidc OP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
HIGH Availability impact
NONE Summary
The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
References
- http://shibboleth.net/community/advisories/
- http://shibboleth.net/community/advisories/
- http://shibboleth.net/community/advisories/secadv_20220131.txt
- http://shibboleth.net/community/advisories/secadv_20220131.txt
- https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF
- https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF