SciTokens C++ Authorization Bypass Vulnerability in Path-Based Scope Validation

A high-severity authorization bypass vulnerability has been identified in SciTokens C++ versions prior to 1.4.1. The issue arises in the Enforcer's scope validation, where a simple string-prefix comparison is used to determine if a requested resource path is covered by a token's authorized scope. This approach fails to enforce path-segment boundaries, allowing tokens scoped to one path to incorrectly authorize access to sibling paths that share the same prefix. For example, a token scoped to '/john' could mistakenly grant access to '/johnathan' or '/johnny', which are sibling paths, not descendants. This vulnerability has been addressed in version 1.4.1.

Impact

Exploitation of this vulnerability could lead to unauthorized access to resources in shared storage or multi-tenant environments, allowing one user or tenant to access another's data if their top-level paths begin with the same string.

Reproduction

To reproduce this vulnerability, create a valid token with a scope that includes a specific path, such as 'read:/john'. Then, use the Enforcer to validate access to sibling paths, such as '/johnathan' or '/johnny'. The Enforcer will incorrectly grant access, demonstrating the authorization bypass.

Remediation

Users can upgrade to SciTokens C++ version 1.4.1 or later to address this vulnerability.