SCA: security update for github.com/ory/oathkeeper (GHSA-vfvf-6gx5-mqv6)

high Tenable Cloud Security Plugin ID 419308

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP
requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope
`foo` using an access token granted with that `foo` scope, introspection will be valid and that token will
be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made
before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will
be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the
`oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The
cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/or
y/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspecti
on.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a3811
66b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the
token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was
introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter
which is the primary reason that the vulnerability passed the review process. (CVE-2021-32701)

See Also

https://github.com/advisories/GHSA-vfvf-6gx5-mqv6

Plugin Details

Severity: High

ID: 419308

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-32701

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/24/2021

Vulnerability Publication Date: 6/22/2021

Reference Information

CVE: CVE-2021-32701

cwe: CWE-863