CVE-2022-36663: 
Java vulnerability analysis and mitigation

Gluu Oxauth before version 4.4.1 contains a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to execute blind SSRF attacks via a crafted requesturi parameter (NVD). The vulnerability was discovered in the OpenID Connect implementation where the requesturi Authorization Request parameter, which enables requests to be passed by reference rather than by value, could be exploited (Gluu Blog).

The vulnerability exists in the implementation of the requesturi Authorization Request parameter in OpenID Connect. When implemented as specified in the OpenID Connect standard, the requesturi parameter could be manipulated to launch Server-Side Request Forgery attacks against the Identity Provider. The issue was addressed in version 4.4.1 by implementing both a request_uri blocklist and allowlist that are configurable in the Gluu Server OpenID Provider JSON configuration (Gluu Blog).

This vulnerability allows attackers to perform blind Server-Side Request Forgery (SSRF) attacks, which could potentially enable unauthorized access to internal resources and services from the vulnerable server (NVD).

The vulnerability has been fixed in Gluu Oxauth version 4.4.1. The fix includes the implementation of a request_uri blocklist and allowlist feature that can be configured in the Gluu Server OpenID Provider JSON configuration. Users are advised to upgrade to version 4.4.1 or later to mitigate this vulnerability (Gluu Blog).