Guanping Zhang created CXF-9222:
-----------------------------------
Summary: partialMatchScopeValidation allows prefix-based scope
escalation (e.g., read grants readwrite)
Key: CXF-9222
URL: https://issues.apache.org/jira/browse/CXF-9222
Project: CXF
Issue Type: Bug
Components: JAX-RS, JAX-RS Security
Affects Versions: 4.2.2
Reporter: Guanping Zhang
When the partialMatchScopeValidation flag is enabled in
RedirectionBasedGrantService, OAuthUtils.validateScopes() validates requested
scopes using a simple startsWith() check against the registered scopes.
This creates a silent privilege escalation vector: if a client is registered
with the scope read, an attacker or misconfigured client can request readwrite,
read_admin, or read;admin, and the validation will pass because
"readwrite".startsWith("read") is true.
While this feature is opt-in (defaults to false), operators who enable it for
prefix-convenience inherit unintended scope escalation. Scopes should be
treated as discrete tokens (set membership) rather than string prefixes.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)