SSRF via logo_uri in MITREid Connect
Description
MITREid Connect versions through 1.3.3 contain a Server Side Request Forgery (SSRF) vulnerability in the OpenID Connect server implementation. The vulnerability exists in the Dynamic Client Registration endpoint, which fails to properly validate the logo_uri parameter. An unauthenticated attacker can exploit this flaw to force the server to make HTTP requests to arbitrary URLs, including internal network resources that would normally be inaccessible from the internet. The server returns the response content to the attacker, potentially exposing sensitive information or enabling secondary attacks such as Cross-Site Scripting (XSS) if the response contains malicious JavaScript.
Remediation
Apply one of the following remediation strategies:
1. Upgrade MITREid Connect: Update to the latest version of MITREid Connect from the official repository at https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/releases. Verify that the version includes fixes for CVE-2021-26715.
2. Implement Input Validation: If immediate upgrading is not possible, implement strict validation for the logo_uri parameter in the Dynamic Client Registration endpoint:
• Maintain an allowlist of permitted domains or URL patterns
• Block requests to private IP address ranges (RFC 1918), localhost (127.0.0.0/8), link-local addresses (169.254.0.0/16), and cloud metadata endpoints
• Enforce HTTPS-only URLs where appropriate
• Validate that the URL scheme is limited to http/https only
3. Network Segmentation: Implement network-level controls to restrict outbound connections from the MITREid Connect server to only necessary external resources, preventing access to internal network segments.
4. Verification: After applying fixes, test the Dynamic Client Registration endpoint to ensure that requests with internal IP addresses or restricted URLs in the logo_uri parameter are properly rejected.