{"id":"CVE-2021-32701","details":"ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process.","aliases":["GHSA-vfvf-6gx5-mqv6","GO-2022-0920"],"modified":"2026-03-13T22:14:14.932958Z","published":"2021-06-22T20:15:08.727Z","related":["GHSA-qvp4-rpmr-xwrr"],"references":[{"type":"ADVISORY","url":"https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr"},{"type":"FIX","url":"https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932"},{"type":"FIX","url":"https://github.com/ory/oathkeeper/pull/424"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ory/oathkeeper","events":[{"introduced":"0"},{"fixed":"1f9f625c1a49e134ae2299ee95b8cf158feec932"}]},{"type":"GIT","repo":"https://github.com/ory/oathkeeper","events":[{"introduced":"0"},{"fixed":"1f9f625c1a49e134ae2299ee95b8cf158feec932"}]}],"versions":["v0.0.1","v0.0.10","v0.0.11","v0.0.12","v0.0.13","v0.0.14","v0.0.15","v0.0.16","v0.0.17","v0.0.18","v0.0.19","v0.0.2","v0.0.20","v0.0.21","v0.0.22","v0.0.23","v0.0.24","v0.0.25","v0.0.26","v0.0.27","v0.0.28","v0.0.29","v0.0.3","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v0.11.12","v0.14.0+oryOS.10","v0.14.1+oryOS.10","v0.14.2+oryOS.10","v0.15.0","v0.15.1","v0.15.2","v0.16.0-beta.3","v0.16.0-beta.4","v0.16.0-beta.5","v0.17.0-beta.1","v0.17.1-beta.1","v0.17.2-beta.1","v0.17.3-beta.1","v0.17.4-beta.1","v0.18.0-beta.1","v0.19.0-beta.1","v0.31.0-beta.1","v0.32.0-beta.1","v0.32.1-beta.1","v0.33.0-beta.1","v0.33.1-beta.1","v0.34.0-beta.1","v0.35.0-alpha.1","v0.35.0-beta.1","v0.35.1-beta.1","v0.35.3-beta.1","v0.35.4-beta.1","v0.35.5-beta.1","v0.35.5-beta.2","v0.36.0-beta.1","v0.36.0-beta.2","v0.36.0-beta.3","v0.36.0-beta.4","v0.37.0-beta.1","v0.37.1-beta.1","v0.38.0-beta.2","v0.38.1-beta.1","v0.38.10-beta.2","v0.38.11-beta.1","v0.38.2-beta.1","v0.38.3-beta.1","v0.38.4-beta.1","v0.38.5-beta.1","v0.38.6-beta.1","v0.38.7-beta.1","v0.38.8-beta.1","v0.38.9-beta.1","v0.38.9-beta.1.pre.1","v0.38.9-beta.1.pre.2","v0.38.9-beta.1.pre.3"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"0.38.0-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.1-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.2-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.3-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.4-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.5-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.6-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.7-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.8-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.9-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.10-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"0.38.11-beta1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32701.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}