SciTokens Path Traversal Vulnerability in Scope Validation Allows Directory Access Bypass
Vulnerability
A path traversal vulnerability has been identified in SciTokens versions prior to 1.9.7. The issue resides in the Enforcer component, where an attacker can manipulate the scope claim of a token to escape directory restrictions. This vulnerability arises because the library normalizes both the authorized and requested paths before comparing them, creating a loophole that can be exploited to access unauthorized directories or files.
Impact
Exploitation of this vulnerability allows for unauthorized access to directories and files outside of the intended authorization boundaries, potentially leading to exposure of sensitive information or resources.
Reproduction
The vulnerability can be reproduced by creating a token with a scope that includes dot-dot segments to traverse up the directory structure. For example, a scope of 'read:/home/user1/..' normalizes to '/home', which can then be used to access '/home/user2'. Additionally, URL-encoded dots can bypass simple string filters, further exploiting the path traversal.
Remediation
Users can update to SciTokens version 1.9.7 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.