<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">The vulnerability as described is a known limitation within the protocols and not unique to the MITREid Connect project. Any time you let an outside party provide a URL that is meant to be fetched by the server, that URL could have bad effects. Therefore, ALL URLs that are outbound calls from the AS need to be protected: it’s a server-wide protection, not specific to the MITREid Connect software itself. <div class=""><br class=""></div><div class="">The reporters of the CVE entry contacted us with a proposed fix that addressed only the “logo_uri” value, without addressing any of the others. In addition, the proposed fix for the “logo_uri” would have potential privacy impacts on end-users. Since this fix was both incomplete and had other problems, the proposed fix was not applied to the software.</div><div class=""><br class=""></div><div class="">In short, the actual fix is at the server level, to configure the hosted environment to not allow the AS to fetch these kinds of URLs directly, or blocklist internal URLs from any user-supplied values (and especially not just the logo URI).</div><div class=""><br class=""></div><div class=""> — Justin<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Sep 6, 2021, at 11:31 AM, Pereira Roque Lino, Jose Eduardo <<a href="mailto:jose.roque_lino@siemens.com" class="">jose.roque_lino@siemens.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><p class="">Dear MITREid Connect,<o:p class=""></o:p></p><p class="">I'm reaching out as a member of the Siemens Vulnerability Monitoring (SVM) team, responsible for informing Siemens customers and employees about vulnerabilities affecting third-party components. We focus in vulnerability analysis and reply mostly on public available information, without reproducing reported exploits.<o:p class=""></o:p></p><p class="">We are currently investigating a vulnerability with assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-26715. Further details on the vulnerability can be found in this link<span class="Apple-converted-space"> </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-26715" style="color: rgb(5, 99, 193); text-decoration: underline;" class="">https://nvd.nist.gov/vuln/detail/CVE-2021-26715</a>.<o:p class=""></o:p></p><p class="">It is unclear to us, whether the vulnerability has been addressed in the corresponding product:<br class="">• OpenID-Connect-Java-Spring-Server:<span class="Apple-converted-space"> </span><a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server" style="color: rgb(5, 99, 193); text-decoration: underline;" class="">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server</a><o:p class=""></o:p></p><p class="">Could you please shortly elaborate whether there are plans to publish a release, which includes the fix, and when is the expected release date? This information would help us to inform our users accordingly.<span class=""><o:p class=""></o:p></span></p><div class=""><div class=""><div class=""><div class=""><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="PT" style="font-size: 10pt; font-family: Arial, sans-serif;" class="">With best regards,<br class="">José Lino<br class=""><br class="">Siemens S.A.<br class="">CYS DEF EU2<br class="">Rua Irmaos Siemens, 1<br class="">2720-093 Amadora, Portugal<span class="Apple-converted-space"> </span><br class=""></span><span style="font-size: 10pt; font-family: Arial, sans-serif;" class=""><a href="mailto:jose.roque_lino@siemens.com" style="color: rgb(5, 99, 193); text-decoration: underline;" class=""><span lang="PT" style="color: blue;" class="">mailto:jose.roque_lino@siemens.com</span></a></span><span lang="PT" class=""><o:p class=""></o:p></span></div></div></div></div></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="PT" class=""><o:p class=""> </o:p></span></div></div><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">mitreid-connect mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="mailto:mitreid-connect@mit.edu" style="color: rgb(5, 99, 193); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">mitreid-connect@mit.edu</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" style="color: rgb(5, 99, 193); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></div></blockquote></div><br class=""></div></body></html>