Public key confusion in third-party blocks
Third-party blocks can be generated without transferring the whole
token to the third-party authority. Instead, a
ThirdPartyBlock request can be sent, providing only the
necessary info to generate a third-party block and to sign it:
- the public key of the previous block (used in the signature);
- the public keys part of the token symbol table (for public key interning in datalog expressions).
A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.
Info
- Published
- August 01, 2024
- Modified
- August 01, 2024
- CAPECs
- < none >
- CWEs
- < none >
- Keywords
- biscuit
- Aliases
- CVE-2024-41949, GHSA-rgqv-mwc3-c78m, GHSA-47cq-pc2v-3rmp
- Related
- < none >
- References
- [ADVISORY] https://github.com/biscuit-auth/biscuit-haskell/security/advisories/GHSA-47cq-pc2v-3rmp
- [FIX] https://github.com/biscuit-auth/biscuit-haskell/pull/93
Affected
biscuit-haskell
- CVSS
- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N
- Versions
>=0.3.0.0 && <0.4.0.0- Declarations
- < none >