CVE-2023-36661
published 2023-06-25CVE-2023-36661: Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for…
PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.06%
85.9th percentile
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | xmltooling | < xmltooling 3.2.3-1+deb12u1 (bookworm) | xmltooling 3.2.3-1+deb12u1 (bookworm) |
| shibboleth | xmltooling | < 3.2.4 | 3.2.4 |
| xmltooling_project | xmltooling | >= 0 < 3.2.0-3+deb11u1 | 3.2.0-3+deb11u1 |
| xmltooling_project | xmltooling | >= 0 < 3.2.3-1+deb12u1 | 3.2.3-1+deb12u1 |
| xmltooling_project | xmltooling | >= 0 < 3.2.4-1 | 3.2.4-1 |
| xmltooling_project | xmltooling | >= 0 < 3.2.4-1 | 3.2.4-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The SSRF vector is a crafted KeyInfo element within an XML signature — inspect/alert on anomalous or external-referencing KeyInfo elements in SAML/XML payloads processed by XMLTooling/Shibboleth SP ↗
- →Discovered that XMLTooling did not properly handle certain KeyInfo element content within an XML signature — monitor for unexpected outbound HTTP/S connections originating from the shibd process following SAML assertion processing ↗
- →After patching, restart the shibd process — use process-level monitoring to detect if shibd is making unexpected outbound network connections, which may indicate active exploitation ↗
- ·Fixed version for XMLTooling is 3.2.4; versions before 3.2.4 are vulnerable. Debian-specific fixed versions vary by release (bookworm: 3.2.3-1+deb12u1, bullseye: 3.2.0-3+deb11u1, forky/sid/trixie: 3.2.4-1) ↗
- ·Red Hat products (Red Hat Fuse 7, JBoss EAP 7/8, JBoss Fuse 6, Red Hat Single Sign-On 7) are listed as Not Affected or Out of Support Scope for this CVE ↗
- ·Doc 2 (Metasploit module) is for a different CVE (CVE-2024-21893 / CVE-2024-21887 in Ivanti Connect Secure) and is NOT related to CVE-2023-36661; no IOCs from that source were extracted ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-64v6-hr9r-33mx: The W3C XML Signature Syntax and Processing (XMLDsig) specification, starting with 1
ghsa_unreviewed·2024-06-26·CVSS 7.5
CVE-2024-34581 [HIGH] CWE-918 GHSA-64v6-hr9r-33mx: The W3C XML Signature Syntax and Processing (XMLDsig) specification, starting with 1
The W3C XML Signature Syntax and Processing (XMLDsig) specification, starting with 1.0, was originally published with a "RetrievalMethod is a URI ... that may be used to obtain key and/or certificate information" statement and no accompanying information about SSRF risks, and this may have contributed to vulnerable implementations such as those discussed in CVE-2023-36661 and CVE-2024-21893. NOTE: this was mitigated in 1.1 and 2.0 via a directly referenced Best Practices document that calls on implementers to be wary of SSRF.
GHSA
GHSA-j522-236p-wx5g: Shibboleth XMLTooling before 3
ghsa_unreviewed·2023-06-26
CVE-2023-36661 [HIGH] CWE-918 GHSA-j522-236p-wx5g: Shibboleth XMLTooling before 3
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)
OSV
CVE-2023-36661: Shibboleth XMLTooling before 3
osv·2023-06-25·CVSS 7.5
CVE-2023-36661 [HIGH] CVE-2023-36661: Shibboleth XMLTooling before 3
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)
VulnCheck
shibboleth xmltooling Server-Side Request Forgery (SSRF)
vulncheck·2023·CVSS 7.5
CVE-2023-36661 [HIGH] shibboleth xmltooling Server-Side Request Forgery (SSRF)
shibboleth xmltooling Server-Side Request Forgery (SSRF)
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)
Affected: shibboleth xmltooling
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://8813571.fs1.hubspotusercontent-na1.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250812.pdf
Ubuntu
XMLTooling vulnerability
vendor_ubuntu·2023-08-03
CVE-2023-36661 XMLTooling vulnerability
Title: XMLTooling vulnerability
Summary: XMLTooling could be made to allow for unintended server side actions
if it received specially crafted input.
Jurien de Jong discovered that XMLTooling did not properly handle certain
KeyInfo element content within an XML signature. An attacker could possibly
use this issue to achieve server-side request forgery.
Instructions: After a standard system update you need to restart the
shibd process to make all the necessary changes.
Red Hat
XMLTooling: SSRF via a crafted KeyInfo element
vendor_redhat·2023-06-26·CVSS 7.5
CVE-2023-36661 [HIGH] CWE-918 XMLTooling: SSRF via a crafted KeyInfo element
XMLTooling: SSRF via a crafted KeyInfo element
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)
Package: XMLTooling (Red Hat Fuse 7) - Not affected
Package: XMLTooling (Red Hat JBoss Data Virtualization 6) - Out of support scope
Package: XMLTooling (Red Hat JBoss Enterprise Application Platform 6) - Out of support scope
Package: xmltooling (Red Hat JBoss Enterprise Application Platform 7) - Not affected
Package: xmltooling (Red Hat JBoss Enterprise Application Platform 8) - Not affected
Package: xmltooling (Red Hat JBoss Fuse 6) - Out of support scope
Package: xmltooling (Red Hat Single Sign-On 7) - Not affected
Debian
CVE-2023-36661: xmltooling - Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service P...
vendor_debian·2023·CVSS 7.5
CVE-2023-36661 [HIGH] CVE-2023-36661: xmltooling - Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service P...
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)
Scope: local
bookworm: resolved (fixed in 3.2.3-1+deb12u1)
bullseye: resolved (fixed in 3.2.0-3+deb11u1)
forky: resolved (fixed in 3.2.4-1)
sid: resolved (fixed in 3.2.4-1)
trixie: resolved (fixed in 3.2.4-1)
No detection rules found.
No writeups or analysis indexed.
2023-06-25
Published
Exploited in the wild