Vulnerability Description
The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Shibboleth | Oidc Op | < 3.0.4 |
Related Weaknesses (CWE)
References
- http://shibboleth.net/community/advisories/Vendor Advisory
- http://shibboleth.net/community/advisories/secadv_20220131.txtVendor Advisory
- https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_SExploitThird Party Advisory
- http://shibboleth.net/community/advisories/Vendor Advisory
- http://shibboleth.net/community/advisories/secadv_20220131.txtVendor Advisory
- https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_SExploitThird Party Advisory
FAQ
What is CVE-2022-24129?
CVE-2022-24129 is a vulnerability with a CVSS score of 8.2 (HIGH). The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to intera...
How severe is CVE-2022-24129?
CVE-2022-24129 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24129?
Check the references section above for vendor advisories and patch information. Affected products include: Shibboleth Oidc Op.