Flusflas

**Name of the Vulnerable Software and Affected Versions** ORY Oathkeeper versions prior to v0.38.12-beta.1 **Description** The issue arises when a request is made to an endpoint requiring a specific scope, and the access token is granted with that scope, making introspection valid and caching the token. If a second request is made to an endpoint requiring a different scope before the cache expires, introspection will be valid regardless of whether the token is granted the new scope. The cache only validates the token's expiration date, ignoring whether the token has the proper scopes. This vulnerability was introduced due to insufficient test coverage during a code review. **Recommendations** To resolve the issue, update to version v0.38.12-beta.1 or later. As a temporary workaround, consider disabling caching for the `oauth2 introspection` authenticator, as this vulnerability does not exist when caching is disabled. Restrict access to the vulnerable `AuthenticatorOAuth2Introspection` function until a patch is available. Avoid using the `tokenFromCache()` function until the issue is resolved. Disable the cache when the scope strategy is `none` and the `requested scope` is not empty to prevent the cache from being used.