[ 
https://issues.apache.org/jira/browse/CXF-9222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091789#comment-18091789
 ] 

Colm O hEigeartaigh commented on CXF-9222:
------------------------------------------

I'll remove this flag for 4.2.x, but mark it as deprecated for 4.1.x

> partialMatchScopeValidation allows prefix-based scope escalation (e.g., read 
> grants readwrite)
> ----------------------------------------------------------------------------------------------
>
>                 Key: CXF-9222
>                 URL: https://issues.apache.org/jira/browse/CXF-9222
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>    Affects Versions: 4.2.2
>            Reporter: Guanping Zhang
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>             Fix For: 4.2.3
>
>
> When the partialMatchScopeValidation flag is enabled in 
> RedirectionBasedGrantService, OAuthUtils.validateScopes() validates requested 
> scopes using a simple startsWith() check against the registered scopes.
> This creates a silent privilege escalation vector: if a client is registered 
> with the scope read, an attacker or misconfigured client can request 
> readwrite, read_admin, or read;admin, and the validation will pass because 
> "readwrite".startsWith("read") is true.
> While this feature is opt-in (defaults to false), operators who enable it for 
> prefix-convenience inherit unintended scope escalation. Scopes should be 
> treated as discrete tokens (set membership) rather than string prefixes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to