Vulnerabilities > CVE-2022-24129 - Server-Side Request Forgery (SSRF) vulnerability in Shibboleth Oidc OP

CVSS 6.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

shibboleth

CWE-918

NVD

Published: 2022-02-04

Updated: 2022-02-09

Summary

The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.

Vulnerable Configurations

Part	Description	Count
Application	Shibboleth Shibboleth Oidc OP *	1

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

http://shibboleth.net/community/advisories/
https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF
http://shibboleth.net/community/advisories/secadv_20220131.txt