Search criteria
3 vulnerabilities found for biscuit-haskell by biscuitsec
FKIE_CVE-2022-31053
Vulnerability from fkie_nvd - Published: 2022-06-13 20:15 - Updated: 2024-11-21 07:03
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://eprint.iacr.org/2020/1484 | Exploit, Technical Description, Third Party Advisory | |
| security-advisories@github.com | https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://eprint.iacr.org/2020/1484 | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| biscuitsec | biscuit-auth | * | |
| biscuitsec | biscuit-go | * | |
| biscuitsec | biscuit-haskell | 0.1.1.0 | |
| clever-cloud | biscuit-java | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:biscuitsec:biscuit-auth:*:*:*:*:*:rust:*:*",
"matchCriteriaId": "0E563805-9EDE-4DF0-82CB-869AD67AC574",
"versionEndIncluding": "1.1.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:biscuitsec:biscuit-go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D442EFC-06BF-429F-848C-7BF4B7438BEB",
"versionEndExcluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:biscuitsec:biscuit-haskell:0.1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3E24AA7F-9A5F-4032-BE61-BD0B4AB77465",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:clever-cloud:biscuit-java:*:*:*:*:*:*:*:*",
"matchCriteriaId": "020BC888-E2CE-4B88-A043-F7EE3DC54A62",
"versionEndExcluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid \u0393-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue."
},
{
"lang": "es",
"value": "Biscuit es un token de autenticaci\u00f3n y autorizaci\u00f3n para arquitecturas de microservicios. La versi\u00f3n 1 de la especificaci\u00f3n de Biscuit contiene un algoritmo vulnerable que permite a actores maliciosos falsificar firmas v\u00e1lidas. Un ataque de este tipo permitir\u00eda a un atacante crear un token con cualquier nivel de acceso. La versi\u00f3n 2 de la especificaci\u00f3n impone un algoritmo diferente a las firmas gamma y, como tal, no est\u00e1 afectada por esta vulnerabilidad. Las implementaciones de Biscuit en Rust, Haskell, Go, Java y Javascript han publicado versiones que siguen la especificaci\u00f3n v2. No se presentan mitigaciones conocidas para este problema"
}
],
"id": "CVE-2022-31053",
"lastModified": "2024-11-21T07:03:47.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-13T20:15:07.820",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://eprint.iacr.org/2020/1484"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://eprint.iacr.org/2020/1484"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CVE-2022-31053 (GCVE-0-2022-31053)
Vulnerability from cvelistv5 – Published: 2022-06-13 19:35 – Updated: 2025-04-22 17:54
VLAI?
Summary
Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.
Severity ?
9.8 (Critical)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| biscuit-auth | biscuit |
Affected:
biscuit-auth >= 1.0.0, < 2.0.0
Affected: biscuit-haskell = 0.1.1.0 Affected: com.clever-cloud.biscuit-java < 2.0.0 Affected: github.com/biscuit-auth/biscuit-go < 2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://eprint.iacr.org/2020/1484"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:37:20.536342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:54:16.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "biscuit",
"vendor": "biscuit-auth",
"versions": [
{
"status": "affected",
"version": "biscuit-auth \u003e= 1.0.0, \u003c 2.0.0"
},
{
"status": "affected",
"version": "biscuit-haskell = 0.1.1.0"
},
{
"status": "affected",
"version": "com.clever-cloud.biscuit-java \u003c 2.0.0"
},
{
"status": "affected",
"version": "github.com/biscuit-auth/biscuit-go \u003c 2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid \u0393-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T19:35:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://eprint.iacr.org/2020/1484"
}
],
"source": {
"advisory": "GHSA-75rw-34q6-72cr",
"discovery": "UNKNOWN"
},
"title": "Signature forgery in Biscuit",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31053",
"STATE": "PUBLIC",
"TITLE": "Signature forgery in Biscuit"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "biscuit",
"version": {
"version_data": [
{
"version_value": "biscuit-auth \u003e= 1.0.0, \u003c 2.0.0"
},
{
"version_value": "biscuit-haskell = 0.1.1.0"
},
{
"version_value": "com.clever-cloud.biscuit-java \u003c 2.0.0"
},
{
"version_value": "github.com/biscuit-auth/biscuit-go \u003c 2.0"
}
]
}
}
]
},
"vendor_name": "biscuit-auth"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid \u0393-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-347: Improper Verification of Cryptographic Signature"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr",
"refsource": "CONFIRM",
"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr"
},
{
"name": "https://eprint.iacr.org/2020/1484",
"refsource": "MISC",
"url": "https://eprint.iacr.org/2020/1484"
}
]
},
"source": {
"advisory": "GHSA-75rw-34q6-72cr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31053",
"datePublished": "2022-06-13T19:35:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:54:16.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31053 (GCVE-0-2022-31053)
Vulnerability from nvd – Published: 2022-06-13 19:35 – Updated: 2025-04-22 17:54
VLAI?
Summary
Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.
Severity ?
9.8 (Critical)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| biscuit-auth | biscuit |
Affected:
biscuit-auth >= 1.0.0, < 2.0.0
Affected: biscuit-haskell = 0.1.1.0 Affected: com.clever-cloud.biscuit-java < 2.0.0 Affected: github.com/biscuit-auth/biscuit-go < 2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://eprint.iacr.org/2020/1484"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:37:20.536342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:54:16.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "biscuit",
"vendor": "biscuit-auth",
"versions": [
{
"status": "affected",
"version": "biscuit-auth \u003e= 1.0.0, \u003c 2.0.0"
},
{
"status": "affected",
"version": "biscuit-haskell = 0.1.1.0"
},
{
"status": "affected",
"version": "com.clever-cloud.biscuit-java \u003c 2.0.0"
},
{
"status": "affected",
"version": "github.com/biscuit-auth/biscuit-go \u003c 2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid \u0393-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T19:35:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://eprint.iacr.org/2020/1484"
}
],
"source": {
"advisory": "GHSA-75rw-34q6-72cr",
"discovery": "UNKNOWN"
},
"title": "Signature forgery in Biscuit",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31053",
"STATE": "PUBLIC",
"TITLE": "Signature forgery in Biscuit"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "biscuit",
"version": {
"version_data": [
{
"version_value": "biscuit-auth \u003e= 1.0.0, \u003c 2.0.0"
},
{
"version_value": "biscuit-haskell = 0.1.1.0"
},
{
"version_value": "com.clever-cloud.biscuit-java \u003c 2.0.0"
},
{
"version_value": "github.com/biscuit-auth/biscuit-go \u003c 2.0"
}
]
}
}
]
},
"vendor_name": "biscuit-auth"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid \u0393-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-347: Improper Verification of Cryptographic Signature"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr",
"refsource": "CONFIRM",
"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr"
},
{
"name": "https://eprint.iacr.org/2020/1484",
"refsource": "MISC",
"url": "https://eprint.iacr.org/2020/1484"
}
]
},
"source": {
"advisory": "GHSA-75rw-34q6-72cr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31053",
"datePublished": "2022-06-13T19:35:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:54:16.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}