Floragasse 7 – 5th floor, 1040 Vienna


Security Advisory: Shibboleth Identity Provider OIDC OP Plugin 3.0.3 or below Server-Side Request Forgery (CVE-2022-24129)

Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the request_uri parameter.

This allows unauthenticated attackers to interact with arbitrary third-party HTTP services.

Full security advisory: https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF


David Gnedt
Andreas Bernauer-Puchegger
Franz Wieshaider