Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SciTokens: Authorization Bypass via Path Traversal in Scope Validation
Vulnerability Description
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
scitokens 路径遍历漏洞
Vulnerability Description
scitokens是SciTokens开源的一个基于JWT的科学计算令牌库。 SciTokens 1.9.7之前版本存在路径遍历漏洞,该漏洞源于攻击者可在令牌的范围声明中使用点-点(..)来逃避预期的目录限制,可能导致路径遍历攻击。
CVSS Information
N/A
Vulnerability Type
N/A