HSEC-2024-0009

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2024/HSEC-2024-0009.json

JSON Data

https://api.osv.dev/v1/vulns/HSEC-2024-0009

Aliases

CVE-2024-41949
GHSA-47cq-pc2v-3rmp
GHSA-p9w4-585h-g3c7
GHSA-rgqv-mwc3-c78m

Published

2024-08-01T12:52:14Z

Modified

2025-07-27T20:43:16.367058Z

Summary

Public key confusion in third-party blocks

Details

Public key confusion in third-party blocks

Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it:

the public key of the previous block (used in the signature);
the public keys part of the token symbol table (for public key interning in datalog expressions).

A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.

Database specific

{
    "home": "https://haskell.github.io/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
}

References

Affected packages

Hackage / biscuit-haskell

Package

Name: biscuit-haskell
Purl: pkg:hackage/biscuit-haskell

Severity

3.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.3.0.0

Fixed

0.4.0.0

Affected versions

0.*

0.3.0.0

0.3.0.1

Database specific

{
    "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2024/HSEC-2024-0009.json",
    "human_link": "https://haskell.github.io/security-advisories/advisory/HSEC-2024-0009.html"
}