CVE-2021-26715

Name of the Vulnerable Software and Affected Versions MITREid Connect versions 1.3.3 and earlier

Description The OpenID Connect server implementation contains a Server Side Request Forgery (SSRF) vulnerability due to unsafe usage of the logo uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make an HTTP request from the vulnerable server to any address in the internal network and obtain its response, potentially leading to bypassing network boundaries, obtaining sensitive data, or attacking other hosts in the internal network.

Recommendations For versions 1.3.3 and earlier, as a temporary workaround, consider restricting the usage of the logo uri parameter in the Dynamic Client Registration request to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.