ORY Oathkeeper Path Traversal Authorization Bypass Vulnerability

A critical authorization bypass vulnerability has been identified in ORY Oathkeeper versions prior to 26.2.0. This vulnerability allows attackers to exploit HTTP path traversal sequences to access protected resources. The issue arises because the raw, un-normalized path is used for rule evaluation, enabling requests to bypass authentication requirements. For example, a request to '/public/../admin/secrets' can be matched against a permissive rule, allowing access to sensitive resources without proper authorization.

Impact

Exploitation of this vulnerability can lead to unauthorized access to protected resources, bypassing authentication requirements.

Reproduction

To reproduce this vulnerability, send a request to an ORY Oathkeeper instance with a URL that includes path traversal sequences, such as '/public/../admin/secrets'. Ensure that the Oathkeeper rules are configured to allow unauthenticated access to the public path while requiring authentication for the admin path. The request will be matched against the raw, un-normalized path, bypassing authentication and granting access to the admin resource.

Remediation

Upgrade ORY Oathkeeper to version 26.2.0 or later, where this vulnerability has been patched. As an additional precaution, normalize HTTP paths in the layers before Oathkeeper, using tools like Nginx or Envoy, which can automatically handle path normalization.