HSEC-2023-0002
See a problem?- Import Source
- https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0002.json
- JSON Data
- https://api.osv.dev/v1/vulns/HSEC-2023-0002
- Aliases
- Related
- Published
- 2025-11-14T14:45:34Z
- Modified
- 2025-11-14T18:15:29.990510Z
- Summary
- Improper Verification of Cryptographic Signature
- Details
-
Improper Verification of Cryptographic Signature
The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability.
- Database specific
{ "repository": "https://github.com/haskell/security-advisories", "home": "https://github.com/haskell/security-advisories", "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export" }- References
Affected packages
Hackage / biscuit-haskell
Package
- Name
- biscuit-haskell
- Purl
- pkg:hackage/biscuit-haskell
Severity
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Database specific
source
"https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0002.json"
osv
"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0002.json"
human_link
"https://github.com/haskell/security-advisories/tree/main/advisories/published/2023/HSEC-2023-0002.md"