When authenticating to an HTCondor daemon using a SciToken, a user may be granted authorizations beyond what the token should allow.

Component Vulnerable Versions Platform Availability Fix Available
All daemons 9.0.0 and above All Not known to be publicly exploited 9.0.4, 9.1.2
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified Possession of a certain type of SciToken Any Low Medium
Fixed Date Credit
2021-07-27 Jeny Teheran
Access Required: Possession of a certain type of SciToken

An attacker needs to have a SciToken with certain attributes that HTCondor will interpret as having more capabilities than it should.

Effort Required: Low

These types of tokens required to exploit this vulnerability can be obtained using standard methods and do not require custom tools or modifications to the token.

Impact/Consequences Required: Medium

Exploiting this vulnerability could allow a user to perform actions that they should not be allowed to do, such as submitting a job.


You can work around this issue by not allowing SciTokens as an authentication method. This means overriding the list of authentication methods (which includes SciTokens by default) by setting SEC_DEFAULT_AUTHENTICATION_METHODS to all the methods you would actually like to use. To simply remove SciTokens, set it to "FS,TOKEN,KERBEROS,GSI,SSL".

Full Details:

Embargoed until future notice.