CVE-2021-27582
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.
El archivo org/mitre/oauth2/web/OAuthConfirmationController.java en la implementación del servidor OpenID Connect para MITREid Connect versiones hasta 1.3.3, contiene una vulnerabilidad de Asignación Masiva (también se conoce como Autobinding). Esto surge debido al uso no seguro de la anotación @ModelAttribute durante el flujo de autorización de OAuth, en el que los parámetros de petición HTTP afectan a una autorización de petición
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-02-23 CVE Reserved
- 2021-02-23 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-10-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
http://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.html | 2024-08-03 | |
https://portswigger.net/research/hidden-oauth-attack-vectors | 2024-08-03 |
URL | Date | SRC |
---|---|---|
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/commit/7eba3c12fed82388f917e8dd9b73e86e3a311e4c | 2022-12-02 |
URL | Date | SRC |
---|