CVE-2024-42350 (GCVE-0-2024-42350)
Vulnerability from cvelistv5 – Published: 2024-08-05 19:47 – Updated: 2024-08-05 20:23
VLAI?
Summary
Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Tokens with third-party blocks containing `trusted` annotations generated through a third party block request. This has been addressed in version 4 of the specification. Users are advised to update their implementations to conform. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-668 - Exposure of Resource to Wrong Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| biscuit-auth | biscuit |
Affected:
< 4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:23:26.079868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:23:35.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "biscuit",
"vendor": "biscuit-auth",
"versions": [
{
"status": "affected",
"version": "\u003c 4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Tokens with third-party blocks containing `trusted` annotations generated through a third party block request. This has been addressed in version 4 of the specification. Users are advised to update their implementations to conform. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668: Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T19:47:44.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m"
},
{
"name": "https://github.com/biscuit-auth/biscuit/commit/c87cbb5d778964d6574df3e9e6579567cad12fff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/biscuit-auth/biscuit/commit/c87cbb5d778964d6574df3e9e6579567cad12fff"
}
],
"source": {
"advisory": "GHSA-rgqv-mwc3-c78m",
"discovery": "UNKNOWN"
},
"title": "Public key confusion in third party block in Biscuit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42350",
"datePublished": "2024-08-05T19:47:44.903Z",
"dateReserved": "2024-07-30T14:01:33.922Z",
"dateUpdated": "2024-08-05T20:23:35.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Tokens with third-party blocks containing `trusted` annotations generated through a third party block request. This has been addressed in version 4 of the specification. Users are advised to update their implementations to conform. There are no known workarounds for this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"Biscuit es un token de autorizaci\\u00f3n con verificaci\\u00f3n descentralizada, atenuaci\\u00f3n fuera de l\\u00ednea y una fuerte aplicaci\\u00f3n de pol\\u00edticas de seguridad basada en un lenguaje l\\u00f3gico. Se pueden generar bloques de terceros sin transferir el token completo a la autoridad de terceros. En su lugar, se puede enviar una solicitud `ThirdPartyBlock`, proporcionando solo la informaci\\u00f3n necesaria para generar un bloque de terceros y firmarlo: 1. la clave p\\u00fablica del bloque anterior (utilizada en la firma), 2. la parte de las claves p\\u00fablicas de la tabla de s\\u00edmbolos de token (para la clave p\\u00fablica interna en expresiones de registro de datos). Una solicitud de bloqueo de un tercero falsificada por un usuario malintencionado puede enga\\u00f1ar a la autoridad del tercero para que genere un registro de datos que conf\\u00ede en el par de claves incorrecto. Tokens con bloques de terceros que contienen anotaciones \\\"confiables\\\" generadas a trav\\u00e9s de una solicitud de bloqueo de terceros. Esto se ha solucionado en la versi\\u00f3n 4 de la especificaci\\u00f3n. Se recomienda a los usuarios que actualicen sus implementaciones para ajustarlas. No se conocen workarounds para esta vulnerabilidad.\"}]",
"id": "CVE-2024-42350",
"lastModified": "2024-08-06T16:30:24.547",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N\", \"baseScore\": 3.0, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.3, \"impactScore\": 1.4}]}",
"published": "2024-08-05T20:15:36.697",
"references": "[{\"url\": \"https://github.com/biscuit-auth/biscuit/commit/c87cbb5d778964d6574df3e9e6579567cad12fff\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m\", \"source\": \"security-advisories@github.com\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-668\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-42350\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-05T20:15:36.697\",\"lastModified\":\"2024-08-06T16:30:24.547\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Tokens with third-party blocks containing `trusted` annotations generated through a third party block request. This has been addressed in version 4 of the specification. Users are advised to update their implementations to conform. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Biscuit es un token de autorizaci\u00f3n con verificaci\u00f3n descentralizada, atenuaci\u00f3n fuera de l\u00ednea y una fuerte aplicaci\u00f3n de pol\u00edticas de seguridad basada en un lenguaje l\u00f3gico. Se pueden generar bloques de terceros sin transferir el token completo a la autoridad de terceros. En su lugar, se puede enviar una solicitud `ThirdPartyBlock`, proporcionando solo la informaci\u00f3n necesaria para generar un bloque de terceros y firmarlo: 1. la clave p\u00fablica del bloque anterior (utilizada en la firma), 2. la parte de las claves p\u00fablicas de la tabla de s\u00edmbolos de token (para la clave p\u00fablica interna en expresiones de registro de datos). Una solicitud de bloqueo de un tercero falsificada por un usuario malintencionado puede enga\u00f1ar a la autoridad del tercero para que genere un registro de datos que conf\u00ede en el par de claves incorrecto. Tokens con bloques de terceros que contienen anotaciones \\\"confiables\\\" generadas a trav\u00e9s de una solicitud de bloqueo de terceros. Esto se ha solucionado en la versi\u00f3n 4 de la especificaci\u00f3n. Se recomienda a los usuarios que actualicen sus implementaciones para ajustarlas. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N\",\"baseScore\":3.0,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"references\":[{\"url\":\"https://github.com/biscuit-auth/biscuit/commit/c87cbb5d778964d6574df3e9e6579567cad12fff\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-42350\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-05T20:23:26.079868Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-05T20:23:31.517Z\"}}], \"cna\": {\"title\": \"Public key confusion in third party block in Biscuit\", \"source\": {\"advisory\": \"GHSA-rgqv-mwc3-c78m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"biscuit-auth\", \"product\": \"biscuit\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4\"}]}], \"references\": [{\"url\": \"https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m\", \"name\": \"https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/biscuit-auth/biscuit/commit/c87cbb5d778964d6574df3e9e6579567cad12fff\", \"name\": \"https://github.com/biscuit-auth/biscuit/commit/c87cbb5d778964d6574df3e9e6579567cad12fff\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Tokens with third-party blocks containing `trusted` annotations generated through a third party block request. This has been addressed in version 4 of the specification. Users are advised to update their implementations to conform. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-668\", \"description\": \"CWE-668: Exposure of Resource to Wrong Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-08-05T19:47:44.903Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-42350\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-05T20:23:35.031Z\", \"dateReserved\": \"2024-07-30T14:01:33.922Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-08-05T19:47:44.903Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…