CVE-2021-27582
Description
MITREid Connect through 1.3.3 has a mass assignment vulnerability in its OAuth confirmation controller via unsafe use of @ModelAttribute, allowing attackers to alter authorization parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MITREid Connect through 1.3.3 has a mass assignment vulnerability in its OAuth confirmation controller via unsafe use of @ModelAttribute, allowing attackers to alter authorization parameters.
Vulnerability
Overview
The OpenID Connect server implementation in MITREid Connect through version 1.3.3 contains a mass assignment (autobinding) vulnerability in the OAuthConfirmationController.java file [1][3]. This arises from unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow [2][3]. The Spring MVC framework automatically binds HTTP request parameters to Java objects, and here an attacker can supply extra HTTP parameters that become bound to the authorizationRequest object [2][3].
Attack
Vector and Exploitation
An attacker can exploit this by crafting a malicious authorization request to the server, adding unexpected HTTP parameters that the @ModelAttribute will bind to the model [1][2]. No prior authentication is required; the attacker only needs to trick a user (or the authorization endpoint) into processing a carefully constructed request [1][3]. The vulnerability is triggered during the standard OAuth/OpenID Connect authorization flow [1][3].
Impact
By over-posting additional parameters, the attacker can modify properties of the authorizationRequest object beyond what is normally allowed [2][3]. Depending on the exact fields present in the model, this could lead to bypass of authorization constraints, redirection of tokens or codes to attacker-controlled URIs, or other OAuth flow manipulation [1][3]. The root cause is the lack of input filtering on the parameters bound by @ModelAttribute [2][3].
Mitigation
Status
The vulnerability was publicly disclosed in February 2021 [3]. Users of MITREid Connect are advised to upgrade to a fixed version or apply a manual patch that restricts the set of HTTP parameters accepted by the @ModelAttribute method [2][3]. As of the publication date, no fix was released in the 1.3.3 version, and the project may be end-of-life, so migration to alternative solutions may be necessary [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.mitre:openid-connect-parentMaven | <= 1.3.3 | — |
Affected products
2- MITREid/MITREid Connectdescription
Patches
17eba3c12fed8Fix Spring Autobinding vulnerability
1 file changed · +2 −2
openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java+2 −2 modified@@ -103,9 +103,9 @@ public OAuthConfirmationController(ClientDetailsEntityService clientService) { @PreAuthorize("hasRole('ROLE_USER')") @RequestMapping("/oauth/confirm_access") - public String confimAccess(Map<String, Object> model, @ModelAttribute("authorizationRequest") AuthorizationRequest authRequest, - Principal p) { + public String confirmAccess(Map<String, Object> model, Principal p) { + AuthorizationRequest authRequest = (AuthorizationRequest) model.get("authorizationRequest"); // Check the "prompt" parameter to see if we need to do special processing String prompt = (String)authRequest.getExtensions().get(PROMPT);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8p36-q63g-68qhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-27582ghsaADVISORY
- agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.htmlghsax_refsource_MISCWEB
- github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/commit/7eba3c12fed82388f917e8dd9b73e86e3a311e4cghsax_refsource_MISCWEB
- portswigger.net/research/hidden-oauth-attack-vectorsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.