CVE-2023-36661

HIGH EXPLOITED

Shibboleth XMLTooling <3.2.4 - SSRF

Title source: llm

Description

Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)

Exploits (1)

metasploit WORKING POC EXCELLENT

by sfewer-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.rb

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://shibboleth.net/community/advisories/secadv_20230612.txt

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5432

Scores

CVSS v3 7.5

EPSS 0.6067

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

VulnCheck KEV 2025-08-12

CWE

CWE-918

Status published

Products (3)

debian/debian_linux 11.0

debian/debian_linux 12.0

shibboleth/xmltooling < 3.2.4

Published Jun 25, 2023

Tracked Since Feb 18, 2026