CVE-2022-31053

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-31053

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31053.json

Aliases

Published

2022-06-13T20:15:07Z

Modified

2023-11-29T09:41:00.781865Z

Details

Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.

References

Affected packages

Git / github.com/biscuit-auth/biscuit-go

Affected ranges

Type: GIT
Repo: https://github.com/biscuit-auth/biscuit-go
Events: Introduced

0The exact introduced commit is unknown

Fixed

f061134c2a1e56aa4f3166e633b0afc27acd09f3

Type: GIT
Repo: https://github.com/clevercloud/biscuit-java
Events: Introduced

0The exact introduced commit is unknown

Fixed

0864a220cfdad3809b8fddf2a8b0922e6572b6be

Affected versions

0.*

0.1.2

0.1.3

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.3.0

0.3.1

0.4.0

0.4.1

0.5.0

0.5.1

0.6.0

0.6.1

1.*

1.0-SNAPSHOT

1.0.0

1.0.1

1.0.10

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

v0.*

v0.1.0

v0.2.0

v0.2.1

v0.2.2

v1.*

v1.0.0