cbcvebase.
CVE-2022-24129
published 2022-02-04

CVE-2022-24129: The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri…

PriorityP259high8.2CVSS 3.1
AVNACLPRNUINSUCLIHAN
EXPLOIT
EPSS
6.14%
92.6th percentile
The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.

Affected

1 ranges
VendorProductVersion rangeFixed in
shibbolethoidc_op< 3.0.43.0.4

Detection & IOCsextracted from sources · hover to see the quote

url/idp/profile/oidc/authorize?client_id=demo_rp&request_uri=https://{{interactsh-url}}
otherShibbolethIdp
  • Detect SSRF exploitation attempts by monitoring GET requests to /idp/profile/oidc/authorize containing a request_uri parameter pointing to an external/out-of-band host (e.g., interactsh or Burp Collaborator URLs).
  • Confirm exploitation by observing an outbound HTTP callback from the Shibboleth IdP server containing the string 'ShibbolethIdp' in the User-Agent or request headers, indicating the server fetched the attacker-supplied request_uri.
  • The vulnerability is triggered via the request_uri parameter in the OIDC authorization endpoint; monitor for any request_uri values that resolve to non-whitelisted or external hosts.
  • ·Only Shibboleth Identity Provider instances running the OIDC OP plugin versions prior to 3.0.4 are affected. Instances upgraded to 3.0.4 or later are not vulnerable.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.