7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32701

GHSA ID

GHSA-vfvf-6gx5-mqv6

EPSS Score

0.53478%

CWE

CWE-863

Published

6/24/2021

Updated

2/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32701

CVE-2021-32701:
Incorrect Authorization in ORY Oathkeeper

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope bar is made before the cache has expired. Whether the token is granted or not to the bar scope, introspection will be valid. A patch will be released with v0.38.12-beta.1. Per default, caching is disabled for the oauth2_introspection authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in func (a *AuthenticatorOAuth2Introspection) Authenticate(...). From tokenFromCache() it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32701

GHSA ID

GHSA-vfvf-6gx5-mqv6

EPSS Score

0.53478%

CWE

CWE-863

Published

6/24/2021

Updated

2/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/ory/oathkeeper	go	>= 0.38.0-beta.2, <= 0.38.11-beta.1	0.38.12-beta.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from cached OAuth2 introspection results being reused without re-validating scopes. The tokenFromCache function (lines 97-110 in original code) only checked expiration time, not scope validity. The Authenticate method (line 152+) used this cache without proper scope re-validation when processing subsequent requests. The patch added scope strategy checks in both cache retrieval (tokenFromCache) and cache storage (tokenToCache), confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

ORY O*t*k**p*r is *n I**ntity & ****ss Proxy (I*P) *n* ****ss *ontrol ***ision *PI t**t *ut*oriz*s *TTP r*qu*sts **s** on s*ts o* ****ss Rul*s. W**n you m*k* * r*qu*st to *n *n*point t**t r*quir*s t** s*op* `*oo` usin* *n ****ss tok*n *r*nt** wit* t*

Reasoning

T** vuln*r**ility st*ms *rom ****** O*ut** introsp**tion r*sults **in* r*us** wit*out r*-v*li**tin* s*op*s. T** `tok*n*rom*****` *un*tion (lin*s **-*** in ori*in*l *o**) only ****k** *xpir*tion tim*, not s*op* v*li*ity. T** `*ut**nti**t*` m*t*o* (lin

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-32701: Incorrect Authorization in ORY Oathkeeper

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-32701:
Incorrect Authorization in ORY Oathkeeper

Vulnerability Intelligence
Miggo AI