<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p>Dear MITREid Connect,<o:p></o:p></p><p>I'm reaching out as a member of the Siemens Vulnerability Monitoring (SVM) team, responsible for informing Siemens customers and employees about vulnerabilities affecting third-party components. We focus in vulnerability analysis and reply mostly on public available information, without reproducing reported exploits.<o:p></o:p></p><p>We are currently investigating a vulnerability with assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-26715. Further details on the vulnerability can be found in this link <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-26715">https://nvd.nist.gov/vuln/detail/CVE-2021-26715</a>.<o:p></o:p></p><p>It is unclear to us, whether the vulnerability has been addressed in the corresponding product:<br>• OpenID-Connect-Java-Spring-Server: <a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server</a><o:p></o:p></p><p>Could you please shortly elaborate whether there are plans to publish a release, which includes the fix, and when is the expected release date? This information would help us to inform our users accordingly.<span style='mso-fareast-language:EN-US'><o:p></o:p></span></p><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=PT style='font-size:10.0pt;font-family:"Arial",sans-serif;mso-fareast-language:EN-GB'>With best regards,<br>José Lino<br><br>Siemens S.A.<br>CYS DEF EU2<br>Rua Irmaos Siemens, 1<br>2720-093 Amadora, Portugal <br></span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;mso-fareast-language:EN-GB'><a href="mailto:jose.roque_lino@siemens.com"><span lang=PT style='color:blue'>mailto:jose.roque_lino@siemens.com</span></a></span><span lang=PT style='mso-fareast-language:EN-GB'><o:p></o:p></span></p></div></div></div></div><p class=MsoNormal><span lang=PT><o:p> </o:p></span></p></div></body></html>