CVE-2021-26715
📋 TL;DR
CVE-2021-26715 is a Server-Side Request Forgery (SSRF) vulnerability in MITREid Connect OpenID Connect server that allows unauthenticated attackers to make HTTP requests from the vulnerable server to internal network addresses. This can lead to network boundary bypass, sensitive data exposure, and potential attacks on internal systems. Organizations using MITREid Connect versions through 1.3.3 are affected.
💻 Affected Systems
- MITREid Connect OpenID Connect Java Spring Server
📦 What is this software?
Connect by Mitreid
⚠️ Risk & Real-World Impact
Worst Case
Complete internal network compromise through SSRF chaining with other vulnerabilities, data exfiltration, and lateral movement to critical systems.
Likely Case
Internal service enumeration, credential harvesting from internal APIs, and potential cross-site scripting via returned JavaScript payloads.
If Mitigated
Limited to internal network scanning and information disclosure if proper network segmentation and input validation are in place.
🎯 Exploit Status
Exploitation requires sending specially crafted dynamic client registration requests with malicious logo_uri values.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.4 and later
Vendor Advisory: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/releases
Restart Required: Yes
Instructions:
1. Upgrade to MITREid Connect version 1.3.4 or later. 2. Restart the application server. 3. Verify the fix by testing dynamic client registration.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to restrict logo_uri values to trusted domains
Configure application firewall or web server to filter requests containing internal IP addresses in logo_uri parameter
Network Segmentation
allRestrict outbound HTTP connections from the OpenID Connect server
Configure firewall rules to block outbound HTTP/HTTPS from the application server except to required external services
🧯 If You Can't Patch
- Disable dynamic client registration feature entirely
- Implement strict network egress filtering and monitor for SSRF attempts
🔍 How to Verify
Check if Vulnerable:
Test dynamic client registration endpoint with logo_uri pointing to internal service and check if request is madeCheck Version:
Check application version in server logs or configuration filesVerify Fix Applied:
Attempt same SSRF test after patch - requests to internal addresses should be blocked📡 Detection & Monitoring
Log Indicators:
- Unusual dynamic client registration requests
- logo_uri parameters containing internal IP addresses or unusual domains
- HTTP requests from server to internal services
Network Indicators:
- Outbound HTTP requests from OpenID server to internal network ranges
- Unusual traffic patterns from application server
SIEM Query:
source="openid-server" AND (uri="*/register*" AND param="logo_uri" AND value="10.* OR 172.* OR 192.*")