CVE-2021-32701 - Vulnerability Details

Vendors	Products
Ory	Oathkeeper

Source	ID	Title
EUVD	EUVD-2021-1410	ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process.
Github GHSA	GHSA-vfvf-6gx5-mqv6	Incorrect Authorization in ORY Oathkeeper

Link	Providers
https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932
https://github.com/ory/oathkeeper/pull/424
https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr

{"containers": {"cna": {"affected": [{"product": "oathkeeper", "vendor": "ory", "versions": [{"status": "affected", "version": ">=v0.38.0-beta.2, < v0.38.12-beta.1"}]}], "descriptions": [{"lang": "en", "value": "ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-22T19:45:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ory/oathkeeper/pull/424"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932"}], "source": {"advisory": "GHSA-qvp4-rpmr-xwrr", "discovery": "UNKNOWN"}, "title": "Possible bypass of token claim validation when OAuth2 Introspection caching is enabled", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32701", "STATE": "PUBLIC", "TITLE": "Possible bypass of token claim validation when OAuth2 Introspection caching is enabled"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "oathkeeper", "version": {"version_data": [{"version_value": ">=v0.38.0-beta.2, < v0.38.12-beta.1"}]}}]}, "vendor_name": "ory"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr", "refsource": "CONFIRM", "url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr"}, {"name": "https://github.com/ory/oathkeeper/pull/424", "refsource": "MISC", "url": "https://github.com/ory/oathkeeper/pull/424"}, {"name": "https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932", "refsource": "MISC", "url": "https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932"}]}, "source": {"advisory": "GHSA-qvp4-rpmr-xwrr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:31.146Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ory/oathkeeper/pull/424"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32701", "datePublished": "2021-06-22T19:45:12", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:25:31.146Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "DC847085-1357-48B3-A809-78F964DE5469", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.1:beta2:*:*:*:*:*:*", "matchCriteriaId": "8EE6201C-CC5D-4202-A0E1-6170ECD0A6A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.2:beta1:*:*:*:*:*:*", "matchCriteriaId": "C0BA2A9E-02E3-4F3B-BC57-139645995814", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.3:beta1:*:*:*:*:*:*", "matchCriteriaId": "33B55094-713D-4DB0-948C-3A4BA060640C", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.4:beta1:*:*:*:*:*:*", "matchCriteriaId": "A78FF290-4F7A-4386-8802-DFBAD0A32725", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.5:beta1:*:*:*:*:*:*", "matchCriteriaId": "D212F091-4CC2-4E80-B68E-E77121F59FF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.6:beta1:*:*:*:*:*:*", "matchCriteriaId": "524EFECB-F19D-4150-BAED-8303F12DC5D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.7:beta1:*:*:*:*:*:*", "matchCriteriaId": "4E7BE228-BE08-479F-B2F7-0CD44751D425", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.8:beta1:*:*:*:*:*:*", "matchCriteriaId": "23B6E7B2-8865-4B7E-BF31-69F5AD03A817", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.9:beta1:*:*:*:*:*:*", "matchCriteriaId": "B790D997-23B1-4509-AE64-597F1BA287F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.10:beta2:*:*:*:*:*:*", "matchCriteriaId": "18DC4A21-2634-4ABE-8DCE-1CE7A056799A", "vulnerable": true}, {"criteria": "cpe:2.3:a:ory:oathkeeper:0.38.11:beta1:*:*:*:*:*:*", "matchCriteriaId": "A130449A-B114-4422-ABBE-83DB35C9679C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process."}, {"lang": "es", "value": "ORY Oathkeeper es un Proxy de Identidad y Acceso (IAP) y una API de Decisi\u00f3n de Control de Acceso que autoriza peticiones HTTP basadas en conjuntos de Reglas de Acceso. Cuando se realiza una petici\u00f3n a un endpoint que requiere el \u00e1mbito \"foo\" usando un token de acceso concedido con ese \u00e1mbito \"foo\", la introspecci\u00f3n ser\u00e1 v\u00e1lida y ese token se almacenar\u00e1 en cach\u00e9. El problema viene cuando se realiza una segunda petici\u00f3n a un endpoint que requiere el \u00e1mbito \"bar\" antes de que la cach\u00e9 haya expirado. Tanto si se concede el token como si no al \u00e1mbito \"bar\", la introspecci\u00f3n ser\u00e1 v\u00e1lida. Se publicar\u00e1 un parche con la versi\u00f3n \"v0.38.12-beta.1\". Por defecto, el almacenamiento en cach\u00e9 est\u00e1 desactivado para el autenticador \"oauth2_introspection\". Cuando el almacenamiento en cach\u00e9 est\u00e1 deshabilitado, esta vulnerabilidad no existe. La cach\u00e9 es comprobada en [\"func (a *AuthenticatorOAuth2Introspection) Authenticate(...)\"](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). De [\"tokenFromCache()\"](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) parece que s\u00f3lo comprueba la fecha de caducidad del token, pero ignora si el token tiene o no los \u00e1mbitos adecuados. La vulnerabilidad fue introducida en PR #424. Durante la revisi\u00f3n, fallamos en requerir una cobertura de pruebas apropiada por parte del remitente, lo cual es la raz\u00f3n principal por la que la vulnerabilidad pas\u00f3 el proceso de revisi\u00f3n"}], "id": "CVE-2021-32701", "lastModified": "2024-11-21T06:07:33.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-22T20:15:08.727", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ory/oathkeeper/pull/424"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ory/oathkeeper/pull/424"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object