CVE-2023-36661: 
Linux Debian vulnerability analysis and mitigation

Shibboleth XMLTooling before version 3.2.4, as used in OpenSAML and Shibboleth Service Provider, contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability was disclosed in June 2023 and allows attackers to perform SSRF attacks via a crafted KeyInfo element (Shibboleth Advisory).

The vulnerability stems from improper handling of KeyInfo element content within XML signatures. When parsing KeyInfo elements, the shibd process attempts to dereference untrusted URLs, which can lead to server-side request forgery. While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, the vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The exploitation of this vulnerability can result in denial of service conditions at minimum. When combined with other vulnerabilities, it could potentially lead to more serious security implications. The vulnerability affects all versions of XMLTooling prior to v3.2.4 (Shibboleth Advisory).

Users should update to XMLTooling library version 3.2.4 or later. On Linux and similar platforms, the shibd process must be restarted after upgrading the component. For Windows users, the fix is included in Shibboleth Service Provider version 3.4.1.3. The project has addressed the vulnerability by implementing a 'BlockingXSECURIResolver' class to restrict the resolution of unsafe URIs in XML input (Shibboleth Advisory).