Juriën De Jong

**Name of the Vulnerable Software and Affected Versions** Shibboleth XMLTooling versions prior to 3.2.4 Shibboleth Service Provider versions prior to 3.4.1.3 **Description** The issue allows Server-Side Request Forgery (SSRF) via a crafted KeyInfo element. This can be exploited by manipulating the KeyInfo element in a way that forces the server to make unintended requests. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For Shibboleth XMLTooling versions prior to 3.2.4, update to version 3.2.4 or later. For Shibboleth Service Provider versions prior to 3.4.1.3, update to version 3.4.1.3 or later. As a temporary workaround, consider restricting access to the KeyInfo element to minimize the risk of exploitation.