cbcvebase.
CVE-2023-36661
published 2023-06-25

CVE-2023-36661: Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for…

PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.06%
85.9th percentile
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianxmltooling< xmltooling 3.2.3-1+deb12u1 (bookworm)xmltooling 3.2.3-1+deb12u1 (bookworm)
shibbolethxmltooling< 3.2.43.2.4
xmltooling_projectxmltooling>= 0 < 3.2.0-3+deb11u13.2.0-3+deb11u1
xmltooling_projectxmltooling>= 0 < 3.2.3-1+deb12u13.2.3-1+deb12u1
xmltooling_projectxmltooling>= 0 < 3.2.4-13.2.4-1
xmltooling_projectxmltooling>= 0 < 3.2.4-13.2.4-1

Detection & IOCsextracted from sources · hover to see the quote

  • The SSRF vector is a crafted KeyInfo element within an XML signature — inspect/alert on anomalous or external-referencing KeyInfo elements in SAML/XML payloads processed by XMLTooling/Shibboleth SP
  • Discovered that XMLTooling did not properly handle certain KeyInfo element content within an XML signature — monitor for unexpected outbound HTTP/S connections originating from the shibd process following SAML assertion processing
  • After patching, restart the shibd process — use process-level monitoring to detect if shibd is making unexpected outbound network connections, which may indicate active exploitation
  • ·Fixed version for XMLTooling is 3.2.4; versions before 3.2.4 are vulnerable. Debian-specific fixed versions vary by release (bookworm: 3.2.3-1+deb12u1, bullseye: 3.2.0-3+deb11u1, forky/sid/trixie: 3.2.4-1)
  • ·Red Hat products (Red Hat Fuse 7, JBoss EAP 7/8, JBoss Fuse 6, Red Hat Single Sign-On 7) are listed as Not Affected or Out of Support Scope for this CVE
  • ·Doc 2 (Metasploit module) is for a different CVE (CVE-2024-21893 / CVE-2024-21887 in Ivanti Connect Secure) and is NOT related to CVE-2023-36661; no IOCs from that source were extracted

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.