CVE-2021-32701

Name of the Vulnerable Software and Affected Versions ORY Oathkeeper versions prior to v0.38.12-beta.1

Description The issue arises when a request is made to an endpoint requiring a specific scope, and the access token is granted with that scope, making introspection valid and caching the token. If a second request is made to an endpoint requiring a different scope before the cache expires, introspection will be valid regardless of whether the token is granted the new scope. The cache only validates the token's expiration date, ignoring whether the token has the proper scopes. This vulnerability was introduced due to insufficient test coverage during a code review.

Recommendations To resolve the issue, update to version v0.38.12-beta.1 or later. As a temporary workaround, consider disabling caching for the oauth2 introspection authenticator, as this vulnerability does not exist when caching is disabled. Restrict access to the vulnerable AuthenticatorOAuth2Introspection function until a patch is available. Avoid using the tokenFromCache() function until the issue is resolved. Disable the cache when the scope strategy is none and the requested scope is not empty to prevent the cache from being used.