Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SciTokens C++: Sibling-Path Authorization Bypass
Vulnerability Description
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
scitokens 安全漏洞
Vulnerability Description
scitokens是SciTokens开源的一个基于JWT的科学计算令牌库。 scitokens 1.4.1之前版本存在安全漏洞,该漏洞源于执行器在检查请求的资源路径是否被令牌授权范围路径覆盖时使用简单字符串前缀比较,可能导致授权绕过。
CVSS Information
N/A
Vulnerability Type
N/A