CVE-2024-42350

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-42350

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42350.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-42350

Aliases

CVE-2024-41949
GHSA-47cq-pc2v-3rmp
GHSA-p9w4-585h-g3c7
GHSA-rgqv-mwc3-c78m
HSEC-2024-0009

Published

2024-08-05T19:47:44Z

Modified

2025-10-21T02:35:28Z

Severity

3.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Summary

Public key confusion in third party block in Biscuit

Details

Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Tokens with third-party blocks containing trusted annotations generated through a third party block request. This has been addressed in version 4 of the specification. Users are advised to update their implementations to conform. There are no known workarounds for this vulnerability.

References

Affected packages

Git /

Affected ranges

Database specific

unresolved_versions

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "4"
            }
        ],
        "type": ""
    }
]