OSG-SEC-2020-03-26 Vulnerability in xrootd-scitokens Plugin
Dear OSG Security Contacts,
A security vulnerability has been discovered in the xrootd-scitokens plugin. OSG has released an updated version of the plugin with fixes for the vulnerability. All installations of the plugin should be upgraded. The OSG Security team considers this vulnerability to be of MODERATE severity.
All versions of xrootd-scitokens prior to v1.2
WHAT ARE THE VULNERABILITIES:
The xrootd-scitokens plugin v1.1.0 (and earlier) contains an authorization logic error that permits both read and write access to files when the user's token authorizes only read or write permission.
An authorized user with a valid token granting read access to files also obtains write access to those files (and vice versa). This does not affect typical xrootd-scitokens deployment scenarios, which either have read-only filesystems or where both read and write permissions are granted for all generated tokens.
WHAT YOU SHOULD DO:
Update the xrootd-scitokens plugin to v1.2 or later.
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team