CVE-2024-41948

biscuit-java vulnerable to public key confusion in third party block

CVSS 3 LOWEPSS 0.3%CWE-1259

In short

A flaw in biscuit-java allows a malicious user to create a forged third-party block request that tricks the authority into trusting the wrong cryptographic key. This could lead to unauthorized token validation if the attacker convinces the authority to sign a block with incorrect key associations.

Technical detail

The vulnerability exists in third-party block generation where a crafted ThirdPartyBlock request can cause key confusion between the previous block's public key and keys in the token symbol table. An attacker can submit a malicious request containing mismatched public keys, causing the third-party authority to generate and sign a block with incorrect key trust relationships in the datalog rules, potentially bypassing authorization checks.

Summary generated and translated by AI from the official description.

biscuit-java is the java implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it, which includes the public key of the previous block (used in the signature) and the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. This vulnerability is fixed in 4.0.0.

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

Affected products

biscuit-auth · biscuit-java

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/biscuit-auth/biscuit-java/security/advisories/GHSA-5hcj-rwm6-xmw4