Guanping Zhang created CXF-9222:
-----------------------------------

             Summary: partialMatchScopeValidation allows prefix-based scope 
escalation (e.g., read grants readwrite)
                 Key: CXF-9222
                 URL: https://issues.apache.org/jira/browse/CXF-9222
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS, JAX-RS Security
    Affects Versions: 4.2.2
            Reporter: Guanping Zhang


When the partialMatchScopeValidation flag is enabled in 
RedirectionBasedGrantService, OAuthUtils.validateScopes() validates requested 
scopes using a simple startsWith() check against the registered scopes.
This creates a silent privilege escalation vector: if a client is registered 
with the scope read, an attacker or misconfigured client can request readwrite, 
read_admin, or read;admin, and the validation will pass because 
"readwrite".startsWith("read") is true.
While this feature is opt-in (defaults to false), operators who enable it for 
prefix-convenience inherit unintended scope escalation. Scopes should be 
treated as discrete tokens (set membership) rather than string prefixes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to