Shibboleth · Shibboleth Identity Provider Oidc Op Plugin · CVE-2022-24129
**Name of the Vulnerable Software and Affected Versions**
Shibboleth Identity Provider OIDC OP plugin versions prior to 3.0.4
**Description**
The issue allows server-side request forgery (SSRF) due to insufficient restriction of the `request uri` parameter. This enables attackers to interact with arbitrary third-party HTTP services.
**Recommendations**
For versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `request uri` parameter to minimize the risk of exploitation.