org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.
{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:mitreid:connect:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "1.3.3"
}
]
}