Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)
References
| Link | Resource |
|---|---|
| https://shibboleth.net/community/advisories/secadv_20230612.txt | Vendor Advisory |
| https://www.debian.org/security/2023/dsa-5432 | Third Party Advisory |
| https://shibboleth.net/community/advisories/secadv_20230612.txt | Vendor Advisory |
| https://www.debian.org/security/2023/dsa-5432 | Third Party Advisory |
Configurations
History
21 Nov 2024, 08:10
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://shibboleth.net/community/advisories/secadv_20230612.txt - Vendor Advisory | |
| References | () https://www.debian.org/security/2023/dsa-5432 - Third Party Advisory |
06 Jul 2023, 18:02
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-918 | |
| First Time |
Debian debian Linux
Shibboleth Debian Shibboleth xmltooling |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| CPE | cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:a:shibboleth:xmltooling:*:*:*:*:*:*:*:* |
|
| References | (DEBIAN) https://www.debian.org/security/2023/dsa-5432 - Third Party Advisory | |
| References | (MISC) https://shibboleth.net/community/advisories/secadv_20230612.txt - Vendor Advisory |
27 Jun 2023, 08:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
25 Jun 2023, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-06-25 22:15
Updated : 2024-11-21 08:10
NVD link : CVE-2023-36661
Mitre link : CVE-2023-36661
CVE.ORG link : CVE-2023-36661
JSON object : View
Products Affected
debian
- debian_linux
shibboleth
- xmltooling
CWE
CWE-918
Server-Side Request Forgery (SSRF)