Login Sign Up

CVE-2021-45102

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in HTCondor allows users authenticating with SciTokens to gain unauthorized access beyond their intended permissions. It affects HTCondor installations using SciToken authentication. Organizations running affected versions with SciToken authentication enabled are at risk.

💻 Affected Systems

Products:
  • HTCondor
Versions: 9.0.x before 9.0.4, 9.1.x before 9.1.2
Operating Systems: All platforms running HTCondor
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when SciToken authentication is configured and in use.

📦 What is this software?

Htcondor by Wisc

View all CVEs affecting Htcondor →

Htcondor by Wisc

View all CVEs affecting Htcondor →

Htcondor by Wisc

View all CVEs affecting Htcondor →

Htcondor by Wisc

View all CVEs affecting Htcondor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain administrative privileges over HTCondor clusters, potentially compromising all jobs and data.

🟠

Likely Case

Users could access resources and perform actions beyond their authorized scope, leading to data exposure or job interference.

🟢

If Mitigated

With proper network segmentation and monitoring, impact would be limited to specific HTCondor services only.

🌐 Internet-Facing: HIGH if HTCondor services are exposed to the internet with SciToken authentication enabled.
🏢 Internal Only: MEDIUM as internal attackers could still exploit this to escalate privileges within the HTCondor environment.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid SciToken credentials but minimal technical skill to abuse authorization flaws.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.4 or 9.1.2

Vendor Advisory: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0004/

Restart Required: Yes

Instructions:

1. Download patched version from HTCondor website. 2. Stop HTCondor services. 3. Install update. 4. Restart HTCondor services. 5. Verify authorization policies are correctly applied.

🔧 Temporary Workarounds

Disable SciToken Authentication

all

Temporarily disable SciToken authentication until patching is complete

Modify HTCondor configuration to remove or comment out SciToken authentication settings

Restrict Authorization Policies

all

Implement stricter authorization policies for SciToken users

Review and tighten ALLOW and DENY policies in HTCondor configuration files

🧯 If You Can't Patch

  • Implement network segmentation to isolate HTCondor services from sensitive systems
  • Enable detailed logging and monitoring for SciToken authentication events

🔍 How to Verify

Check if Vulnerable:

Check HTCondor version and SciToken configuration: 'condor_version' and review configuration files for SciToken settings

Check Version:

condor_version

Verify Fix Applied:

Verify version is 9.0.4+ or 9.1.2+ and test SciToken authorization with limited test tokens

📡 Detection & Monitoring

Log Indicators:

  • Unexpected authorization successes
  • SciToken authentication events with elevated privileges

Network Indicators:

  • Unusual API calls from SciToken-authenticated users
  • Access patterns exceeding normal user behavior

SIEM Query:

source="htcondor" AND (event="AUTH_SUCCESS" OR event="AUTHORIZATION") AND token_type="scitoken" AND privilege_level="ADMIN"

📊 Metadata

CVE ID: CVE-2021-45102
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-863
Published: December 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45102, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)