Skip to content

Commit

Permalink
add advisory for biscuit-haskell 0.3.x
Browse files Browse the repository at this point in the history
  • Loading branch information
@divarvel @frasertweedale
divarvel authored and frasertweedale committed Aug 1, 2024
1 parent 50e4100 commit 59bea00
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions advisories/hackage/biscuit-haskell/HSEC-2024-0009.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
```toml
[advisory]
id = "HSEC-2024-0009"
keywords = ["biscuit"]
aliases = ["CVE-2024-41949", "GHSA-rgqv-mwc3-c78m", "GHSA-47cq-pc2v-3rmp"]

[[references]]
type = "ADVISORY"
url = "https://github.com/biscuit-auth/biscuit-haskell/security/advisories/GHSA-47cq-pc2v-3rmp"
[[references]]
type = "FIX"
url = "https://github.com/biscuit-auth/biscuit-haskell/pull/93"

[[affected]]
package = "biscuit-haskell"
cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N"

[[affected.versions]]
introduced = "0.3.0.0"
fixed = "0.4.0.0"
```

# Public key confusion in third-party blocks

Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it:

- the public key of the previous block (used in the signature);
- the public keys part of the token symbol table (for public key interning in datalog expressions).

A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.

0 comments on commit 59bea00

Please sign in to comment.