CVE-2023-36661 is a high-severity vulnerability affecting Shibboleth XMLTooling versions prior to 3.2.4. Shibboleth XMLTooling is a core component used by OpenSAML and the Shibboleth Service Provider, which are widely deployed in federated identity management systems to enable secure single sign-on (SSO) and authentication across web applications. The vulnerability arises from improper handling of the KeyInfo element within XML signatures. Specifically, an attacker can craft a malicious KeyInfo element that triggers a Server-Side Request Forgery (SSRF) condition. SSRF vulnerabilities allow attackers to make unauthorized requests from the vulnerable server to internal or external systems, potentially bypassing network access controls. This can lead to denial of service or further exploitation of internal services that are otherwise inaccessible externally. The vulnerability does not require authentication or user interaction, and can be exploited remotely over the network. The issue has been fixed in Shibboleth Service Provider version 3.4.1.3 on Windows and presumably in XMLTooling 3.2.4 and later. The CVSS v3.1 base score is 7.5, reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on availability (denial of service). Confidentiality and integrity impacts are not directly affected. No known exploits are currently reported in the wild, but the vulnerability's nature and ease of exploitation make it a significant risk for affected deployments.

For European organizations, especially those in government, education, and large enterprises that rely on Shibboleth for federated identity management, this vulnerability poses a serious risk. SSRF can be leveraged to access internal services that are not exposed externally, potentially leading to service disruption or reconnaissance for further attacks. Given that Shibboleth is widely used in European academic institutions and public sector identity federations (such as eduGAIN and national identity federations), exploitation could disrupt critical authentication services, impacting availability and trust in identity infrastructure. Additionally, SSRF can be a stepping stone to more severe attacks if internal services have further vulnerabilities. The lack of required authentication means attackers can attempt exploitation without valid credentials, increasing the threat surface. The impact is particularly critical for organizations hosting sensitive internal services behind the Shibboleth Service Provider or OpenSAML components.

Organizations should prioritize upgrading Shibboleth XMLTooling to version 3.2.4 or later and Shibboleth Service Provider to at least version 3.4.1.3 where the fix is confirmed. Until patches are applied, network-level mitigations can reduce risk: restrict outbound HTTP/HTTPS requests from servers running Shibboleth components to only trusted destinations, implement strict egress filtering and firewall rules to prevent SSRF exploitation. Monitoring and logging of unusual outbound requests from these servers should be enhanced to detect potential exploitation attempts. Additionally, review and harden XML signature processing configurations to reject unexpected or malformed KeyInfo elements if configurable. Conduct thorough testing of identity federation services after patching to ensure no disruption. Finally, maintain awareness of any emerging exploit reports or advisories related to this vulnerability.