CVE-2021-32701
published 2021-06-22CVE-2021-32701: ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.30%
66.8th percentile
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | ory_oathkeeper | >= 0.38.0-beta.2 < 0.38.12-beta.1 | 0.38.12-beta.1 |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
| ory | oathkeeper | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Incorrect Authorization in ORY Oathkeeper in github.com/ory/oathkeeper
osv·2024-08-21
CVE-2021-32701 Incorrect Authorization in ORY Oathkeeper in github.com/ory/oathkeeper
Incorrect Authorization in ORY Oathkeeper in github.com/ory/oathkeeper
Incorrect Authorization in ORY Oathkeeper in github.com/ory/oathkeeper
GHSA
Incorrect Authorization in ORY Oathkeeper
ghsa·2021-06-24
CVE-2021-32701 [HIGH] CWE-863 Incorrect Authorization in ORY Oathkeeper
Incorrect Authorization in ORY Oathkeeper
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a
OSV
Incorrect Authorization in ORY Oathkeeper
osv·2021-06-24
CVE-2021-32701 [HIGH] Incorrect Authorization in ORY Oathkeeper
Incorrect Authorization in ORY Oathkeeper
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932https://github.com/ory/oathkeeper/pull/424https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrrhttps://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932https://github.com/ory/oathkeeper/pull/424https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr
2021-06-22
Published