Server-Side Request Forgery (SSRF) Affecting iignatov/lightopenid package, versions <1.3.0
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Threat Intelligence
EPSS
0.22% (61st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-IIGNATOVLIGHTOPENID-174633
- published 10 May 2019
- disclosed 10 May 2019
- credit Michael Crumley
Introduced: 10 May 2019
CVE-2019-11066 Open this link in a new tabHow to fix?
Upgrade iignatov/lightopenid
to version 1.3.0 or higher.
Overview
iignatov/lightopenid is a lightweight PHP5 library for easy OpenID authentication.
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). Due to the unsafe usage of curl_init
within the openid.php
page, it is possible for an attacker to leverage OpenID 2.0 assertion requests to possibly read server configuration, connect to internally exposed services.