CVE-2024-42350

Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Tokens with third-party blocks containing `trusted` annotations generated through a third party block request. This has been addressed in version 4 of the specification. Users are advised to update their implementations to conform. There are no known workarounds for this vulnerability.

CVSS v3 3.0 LOW

3.0^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/biscuit-auth/biscuit/commit/c87cbb5d778964d6574df3e9e6579567cad12fff
https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m

Configurations

No configuration.

History

No history.

Information

Published : 2024-08-05 20:15

Updated : 2024-08-06 16:30

NVD link : CVE-2024-42350

Mitre link : CVE-2024-42350

CVE.ORG link : CVE-2024-42350

JSON object : View

Products Affected

No product.

CWE

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2024-42350", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.0, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.3}]}, "published": "2024-08-05T20:15:36.697", "references": [{"url": "https://github.com/biscuit-auth/biscuit/commit/c87cbb5d778964d6574df3e9e6579567cad12fff", "source": "security-advisories@github.com"}, {"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Tokens with third-party blocks containing `trusted` annotations generated through a third party block request. This has been addressed in version 4 of the specification. Users are advised to update their implementations to conform. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Biscuit es un token de autorizaci\u00f3n con verificaci\u00f3n descentralizada, atenuaci\u00f3n fuera de l\u00ednea y una fuerte aplicaci\u00f3n de pol\u00edticas de seguridad basada en un lenguaje l\u00f3gico. Se pueden generar bloques de terceros sin transferir el token completo a la autoridad de terceros. En su lugar, se puede enviar una solicitud `ThirdPartyBlock`, proporcionando solo la informaci\u00f3n necesaria para generar un bloque de terceros y firmarlo: 1. la clave p\u00fablica del bloque anterior (utilizada en la firma), 2. la parte de las claves p\u00fablicas de la tabla de s\u00edmbolos de token (para la clave p\u00fablica interna en expresiones de registro de datos). Una solicitud de bloqueo de un tercero falsificada por un usuario malintencionado puede enga\u00f1ar a la autoridad del tercero para que genere un registro de datos que conf\u00ede en el par de claves incorrecto. Tokens con bloques de terceros que contienen anotaciones \"confiables\" generadas a trav\u00e9s de una solicitud de bloqueo de terceros. Esto se ha solucionado en la versi\u00f3n 4 de la especificaci\u00f3n. Se recomienda a los usuarios que actualicen sus implementaciones para ajustarlas. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-08-06T16:30:24.547", "sourceIdentifier": "security-advisories@github.com"}