CVE-2021-32701

Possible bypass of token claim validation when OAuth2 Introspection caching is enabled

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process.

ORY Oathkeeper es un Proxy de Identidad y Acceso (IAP) y una API de Decisión de Control de Acceso que autoriza peticiones HTTP basadas en conjuntos de Reglas de Acceso. Cuando se realiza una petición a un endpoint que requiere el ámbito "foo" usando un token de acceso concedido con ese ámbito "foo", la introspección será válida y ese token se almacenará en caché. El problema viene cuando se realiza una segunda petición a un endpoint que requiere el ámbito "bar" antes de que la caché haya expirado. Tanto si se concede el token como si no al ámbito "bar", la introspección será válida. Se publicará un parche con la versión "v0.38.12-beta.1". Por defecto, el almacenamiento en caché está desactivado para el autenticador "oauth2_introspection". Cuando el almacenamiento en caché está deshabilitado, esta vulnerabilidad no existe. La caché es comprobada en ["func (a *AuthenticatorOAuth2Introspection) Authenticate(...)"](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). De ["tokenFromCache()"](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) parece que sólo comprueba la fecha de caducidad del token, pero ignora si el token tiene o no los ámbitos adecuados. La vulnerabilidad fue introducida en PR #424. Durante la revisión, fallamos en requerir una cobertura de pruebas apropiada por parte del remitente, lo cual es la razón principal por la que la vulnerabilidad pasó el proceso de revisión

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-12 CVE Reserved
2021-06-22 CVE Published
2024-03-07 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-863: Incorrect Authorization

CAPEC

References (3)

URL	Tag	Source
https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932	2021-06-30
https://github.com/ory/oathkeeper/pull/424	2021-06-30

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.0 Search vendor "Ory" for product "Oathkeeper" and version "0.38.0"		beta2		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.1 Search vendor "Ory" for product "Oathkeeper" and version "0.38.1"		beta2		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.2 Search vendor "Ory" for product "Oathkeeper" and version "0.38.2"		beta1		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.3 Search vendor "Ory" for product "Oathkeeper" and version "0.38.3"		beta1		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.4 Search vendor "Ory" for product "Oathkeeper" and version "0.38.4"		beta1		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.5 Search vendor "Ory" for product "Oathkeeper" and version "0.38.5"		beta1		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.6 Search vendor "Ory" for product "Oathkeeper" and version "0.38.6"		beta1		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.7 Search vendor "Ory" for product "Oathkeeper" and version "0.38.7"		beta1		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.8 Search vendor "Ory" for product "Oathkeeper" and version "0.38.8"		beta1		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.9 Search vendor "Ory" for product "Oathkeeper" and version "0.38.9"		beta1		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.10 Search vendor "Ory" for product "Oathkeeper" and version "0.38.10"		beta2		Affected
Ory Search vendor "Ory"		Oathkeeper Search vendor "Ory" for product "Oathkeeper"				0.38.11 Search vendor "Ory" for product "Oathkeeper" and version "0.38.11"		beta1		Affected