CVE-2022-24129
Published: 04 February 2022
Summary
CVE-2022-24129 is a high-severity SSRF (CWE-918) vulnerability in Shibboleth Oidc Op. Its CVSS base score is 8.2 (High).
Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a server-side request forgery (SSRF) flaw, tracked as CVE-2022-24129 and assigned CWE-918, that affects the OIDC OP plugin prior to version 3.0.4 for the Shibboleth Identity Provider. It stems from insufficient validation of the request_uri parameter, enabling an attacker to cause the server to issue HTTP requests to arbitrary third-party services. The issue carries a CVSS 3.1 base score of 8.2.
An unauthenticated remote attacker can exploit the flaw over the network without user interaction to force the Identity Provider into interacting with chosen external HTTP endpoints. Depending on the target service and network configuration, this can result in information disclosure or unauthorized state changes on third-party systems while the vulnerable plugin processes OIDC requests.
Public advisories from the Shibboleth project, including secadv_20220131.txt, direct administrators to upgrade the OIDC OP plugin to version 3.0.4 or later to close the unrestricted request_uri handling. The referenced GitHub advisory from SBA Research provides additional technical detail on the parameter validation gap.
EPSS for the CVE rose from lower values after disclosure to a peak of 0.4699 before receding to the current score of 0.2283, indicating a period of increased exploitation interest that later subsided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29040
Vulnerability details
The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.