GHSA-qvp4-rpmr-xwrr: 
vulnerability analysis and mitigation

ORY Oathkeeper, an Identity & Access Proxy (IAP) and Access Control Decision API, was found to have a vulnerability affecting versions >= 0.38.0-beta.2 and <= 0.38.11-beta.1. The vulnerability (CVE-2021-32701) was discovered and disclosed on June 22, 2021, and involves a potential bypass of token claim validation when OAuth2 Introspection caching is enabled (GitHub Advisory).

The vulnerability stems from an incorrect authorization implementation where the cache validation only checks the token expiration date while ignoring proper scope validation. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

When a request is made to an endpoint requiring a specific scope (e.g., 'foo') using an access token with that scope, the introspection is validated and cached. Subsequently, if a second request to an endpoint requiring a different scope (e.g., 'bar') is made before the cache expires, the introspection will be considered valid regardless of whether the token has the required 'bar' scope (GitHub Advisory).

A patch was released in version v0.38.12-beta.1 to address the vulnerability. As a workaround, users can disable caching for the oauth2_introspection authenticator, which is the default configuration. The development team has implemented additional safeguards including strict codecov policies and comprehensive test suites to prevent similar issues (GitHub Advisory).