Vulnerability Description
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mitreid | Connect | <= 1.3.3 |
Related Weaknesses (CWE)
References
- http://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.htmlExploitThird Party Advisory
- https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/commit/7ebaPatchThird Party Advisory
- https://portswigger.net/research/hidden-oauth-attack-vectorsExploitThird Party Advisory
- http://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.htmlExploitThird Party Advisory
- https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/commit/7ebaPatchThird Party Advisory
- https://portswigger.net/research/hidden-oauth-attack-vectorsExploitThird Party Advisory
FAQ
What is CVE-2021-27582?
CVE-2021-27582 is a vulnerability with a CVSS score of 9.1 (CRITICAL). org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This ari...
How severe is CVE-2021-27582?
CVE-2021-27582 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-27582?
Check the references section above for vendor advisories and patch information. Affected products include: Mitreid Connect.