HSEC-2023-0002

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0002.json

Aliases

CVE-2022-31053
GHSA-75rw-34q6-72cr
GO-2022-0564

Related

GHSA-75rw-34q6-72cr

Published

2023-06-19T21:35:33Z

Modified

2023-12-13T13:05:38.724067Z

Details

Improper Verification of Cryptographic Signature

The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability.

References

https://eprint.iacr.org/2020/1484
https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr

Affected packages

Hackage / biscuit-haskell

Package

Name: biscuit-haskell

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1.0.0

Fixed

0.2.0.0

Affected versions

0.*

0.1.0.0

0.1.1.0