SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple pr…

SciTokens reference library prior to version 1.9.6 contains an authorization bypass vulnerability in the Enforcer component. The vulnerability stems from incorrect scope path validation using simple prefix matching with startswith function. This allows tokens with access to specific paths to also access sibling paths that share the same prefix, effectively bypassing intended authorization controls. For example, a token granted access to /john could also access /johnathan or /johnny paths. The issue has been addressed and patched in SciTokens version 1.9.6.