1. Home
  2. Vulnerabilities
  3. CVE-2021-26715

CVE-2021-26715

CVSS v3.1 9.1 (Critical)
91% Progress
CVSS v2.0 6.4 (Medium)
64% Progress
EPSS 0.22 % (60th)
0.22% Progress
Affected Products 1
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Graph Web & Social Timeline

The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP request from the vulnerable server to any address in the internal network and obtain its response (which might, for example, have a JavaScript payload for resultant XSS). The issue can be exploited to bypass network boundaries, obtain sensitive data, or attack other hosts in the internal network.

Weaknesses
CWE-918
Server-Side Request Forgery (SSRF)
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2021-03-25 09:15:12
(3 years ago)
Updated Date
2021-03-29 19:03:01
(3 years ago)

Affected Products

Mitreid

Configuration #1

    CPE23 From Up To
  Mitreid Connect 1.3.3 and prior versions cpe:2.3:a:mitreid:connect <= 1.3.3