CVE-2021-27582

Name of the Vulnerable Software and Affected Versions MITREid Connect versions through 1.3.3

Description The OpenID Connect server implementation for MITREid Connect contains a Mass Assignment vulnerability, also known as Autobinding. This issue arises due to the unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow. As a result, HTTP request parameters can affect an authorizationRequest.

Recommendations For versions through 1.3.3, consider disabling the OAuthConfirmationController until a patch is available to prevent exploitation of the Mass Assignment vulnerability. Restrict access to the org/mitre/oauth2/web/OAuthConfirmationController.java to minimize the risk of exploitation. Avoid using the @ModelAttribute annotation in the affected OAuth authorization flow until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.