[
https://issues.apache.org/jira/browse/CXF-9222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091789#comment-18091789
]
Colm O hEigeartaigh commented on CXF-9222:
------------------------------------------
I'll remove this flag for 4.2.x, but mark it as deprecated for 4.1.x
> partialMatchScopeValidation allows prefix-based scope escalation (e.g., read
> grants readwrite)
> ----------------------------------------------------------------------------------------------
>
> Key: CXF-9222
> URL: https://issues.apache.org/jira/browse/CXF-9222
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Affects Versions: 4.2.2
> Reporter: Guanping Zhang
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Fix For: 4.2.3
>
>
> When the partialMatchScopeValidation flag is enabled in
> RedirectionBasedGrantService, OAuthUtils.validateScopes() validates requested
> scopes using a simple startsWith() check against the registered scopes.
> This creates a silent privilege escalation vector: if a client is registered
> with the scope read, an attacker or misconfigured client can request
> readwrite, read_admin, or read;admin, and the validation will pass because
> "readwrite".startsWith("read") is true.
> While this feature is opt-in (defaults to false), operators who enable it for
> prefix-convenience inherit unintended scope escalation. Scopes should be
> treated as discrete tokens (set membership) rather than string prefixes.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)