Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

News

SBA Security Advisory – Shibboleth Identity Provider OIDC OP Plugin – Server-Side Request Forgery (CVE-2022-24129)

Vulnerability Overview

Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the request_uri parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services.

  • Type of Vulnerability: Server-Side Request Forgery (SSRF)
  • Fixed in Version: 3.0.4
  • CVE ID: CVE-2022-24129
  • CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
  • CVSSv3.1 Base Score: 8.6 (High)

Recommended Countermeasure

We recommend to update Shibboleth Identity Provider OIDC OP plugin to version 3.0.4 or later. For further details, see the full security advisory.

Links

Full Security Advisory

Credits