CVE-2021-26715 - OpenCVE

The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP request from the vulnerable server to any address in the internal network and obtain its response (which might, for example, have a JavaScript payload for resultant XSS). The issue can be exploited to bypass network boundaries, obtain sensitive data, or attack other hosts in the internal network.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mitreid	Connect

Configuration 1 [-]

cpe:2.3:a:mitreid:connect:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/releases
https://portswigger.net/research/hidden-oauth-attack-vectors

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-25T08:07:32

Updated: 2024-08-03T20:33:40.437Z

Reserved: 2021-02-05T00:00:00

Link: CVE-2021-26715

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-25T09:15:12.633

Modified: 2021-03-29T19:03:01.757

Link: CVE-2021-26715

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP request from the vulnerable server to any address in the internal network and obtain its response (which might, for example, have a JavaScript payload for resultant XSS). The issue can be exploited to bypass network boundaries, obtain sensitive data, or attack other hosts in the internal network."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-25T08:07:32", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/releases"}, {"tags": ["x_refsource_MISC"], "url": "https://portswigger.net/research/hidden-oauth-attack-vectors"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-26715", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP request from the vulnerable server to any address in the internal network and obtain its response (which might, for example, have a JavaScript payload for resultant XSS). The issue can be exploited to bypass network boundaries, obtain sensitive data, or attack other hosts in the internal network."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/releases", "refsource": "MISC", "url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/releases"}, {"name": "https://portswigger.net/research/hidden-oauth-attack-vectors", "refsource": "MISC", "url": "https://portswigger.net/research/hidden-oauth-attack-vectors"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:33:40.437Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/releases"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://portswigger.net/research/hidden-oauth-attack-vectors"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-26715", "datePublished": "2021-03-25T08:07:32", "dateReserved": "2021-02-05T00:00:00", "dateUpdated": "2024-08-03T20:33:40.437Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mitreid:connect:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC637AA4-26EF-4FB8-8608-6B658EBEDFF9", "versionEndIncluding": "1.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP request from the vulnerable server to any address in the internal network and obtain its response (which might, for example, have a JavaScript payload for resultant XSS). The issue can be exploited to bypass network boundaries, obtain sensitive data, or attack other hosts in the internal network."}, {"lang": "es", "value": "La implementaci\u00f3n del servidor OpenID Connect para MITREid Connect versiones hasta 1.3.3, contiene una vulnerabilidad de Server Side Request Forgery (SSRF). La vulnerabilidad surge debido al uso no seguro del par\u00e1metro logo_uri en la petici\u00f3n de registro de cliente din\u00e1mico. Un atacante no autenticado puede llevar a cabo una petici\u00f3n HTTP desde el servidor vulnerable a cualquier direcci\u00f3n en la red interna y obtener su respuesta (que podr\u00eda, por ejemplo, tener una carga \u00fatil de JavaScript para el XSS resultante). El problema puede ser explotado para omitir los l\u00edmites de la red, obtener datos confidenciales o atacar a otros hosts de la red interna"}], "id": "CVE-2021-26715", "lastModified": "2021-03-29T19:03:01.757", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-25T09:15:12.633", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/releases"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://portswigger.net/research/hidden-oauth-attack-vectors"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}