CVE-2022-36663

CRITICAL

Gluu Oxauth < 4.4.1 - Server-Side Request Forgery via request_uri Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-36663. PoCs published by aqeisi.

AI-analyzed exploit summary This repository contains a Python script that exploits CVE-2022-36663, a blind SSRF vulnerability in Gluu IAM, to scan internal networks for open ports by measuring response times. The script sends crafted requests to the Gluu IAM server and analyzes the timing differences to infer port status.

Description

Gluu Oxauth before v4.4.1 allows attackers to execute blind SSRF (Server-Side Request Forgery) attacks via a crafted request_uri parameter.

Exploits (1)

nomisec SCANNER 2 stars

by aqeisi · poc

https://github.com/aqeisi/CVE-2022-36663-PoC

View Code ZIP pw:eip

This repository contains a Python script that exploits CVE-2022-36663, a blind SSRF vulnerability in Gluu IAM, to scan internal networks for open ports by measuring response times. The script sends crafted requests to the Gluu IAM server and analyzes the timing differences to infer port status.

Classification

Scanner 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Gluu IAM

No auth needed

Prerequisites: Access to the Gluu IAM server URL · Valid authorization request URL with an empty request_uri parameter

MITRE ATT&CK

T1083 - File and Directory Discovery T1135 - Network Share Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/GluuFederation/oxAuth/releases/tag/4.4.1

Release Notes, Vendor Advisory x_refsource_misc

https://gluu.org/gluu-4-4-1/

Scores

CVSS v3 9.8

EPSS 0.1638

EPSS Percentile 95.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-918

Status published

Products (2)

gluu/oxauth < 4.4.1

org.gluu/oxauth-common 0 - 4.4.1Maven

Published Sep 06, 2022

Tracked Since Feb 18, 2026