A critical SQL injection vulnerability in the SciTokens library allows unauthenticated attackers to execute arbitrary database commands, potentially leading to a full compromise of the local SQLite database.

The KeyCache class within the SciTokens library fails to properly sanitize user-supplied data, specifically the issuer and key_id fields. By using Python's str.format() to build SQL queries, the application enables an attacker to inject malicious SQL syntax into the local SQLite database environment.

A successful exploit of this vulnerability could result in unauthorized data exfiltration, modification, or deletion within the local database. Given the library's role in security token management, this flaw could compromise the integrity of the entire authentication and authorization framework. The CVSS score of 9.8 reflects the high potential for total loss of confidentiality and integrity without requiring high privileges.

Immediate Action: Update the SciTokens Python library to version 1.9.6 or later immediately to replace the vulnerable query construction logic with parameterized queries.

Proactive Monitoring: Review application logs for unusual characters or SQL syntax within token-related requests and monitor for unexpected changes to the local SQLite database files.

Compensating Controls: Implement input validation at the application layer to restrict issuer and key_id strings to expected alphanumeric patterns before they reach the library.

Public Exploit Available: No

This vulnerability represents a significant risk to any application utilizing the SciTokens library for security assertions. Organizations should prioritize the update to version 1.9.6 immediately to mitigate the risk of SQL injection. Failure to patch may allow attackers to bypass security controls by manipulating the underlying token cache.