CVE-2023-36661 Information

Description

Shibboleth XMLTooling before 3.2.4 as used in OpenSAML and Shibboleth Service Provider allows SSRF via a crafted KeyInfo element. (This is fixed in for example Shibboleth Service Provider 3.4.1.3 on Windows.)

Reference

https://shibboleth.net/community/advisories/secadv_20230612.txt