Show filters
3 Total Results
Displaying 1-3 of 3
Sort by:
Attacker Value
Very High

CVE-2024-21893

Disclosure Date: January 31, 2024 (last updated December 21, 2024)
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
Attacker Value
Unknown

CVE-2024-34581

Disclosure Date: June 26, 2024 (last updated June 26, 2024)
The W3C XML Signature Syntax and Processing (XMLDsig) specification, starting with 1.0, was originally published with a "RetrievalMethod is a URI ... that may be used to obtain key and/or certificate information" statement and no accompanying information about SSRF risks, and this may have contributed to vulnerable implementations such as those discussed in CVE-2023-36661 and CVE-2024-21893. NOTE: this was mitigated in 1.1 and 2.0 via a directly referenced Best Practices document that calls on implementers to be wary of SSRF.
0
Attacker Value
Unknown

CVE-2023-36661

Disclosure Date: June 25, 2023 (last updated October 08, 2023)
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)