Security Advisory: Shibboleth Identity Provider OIDC OP Plugin 3.0.3 or below Server-Side Request Forgery (CVE-2022-24129)
Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the request_uri parameter.
This allows unauthenticated attackers to interact with arbitrary third-party HTTP services.
Full security advisory: https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF