HSEC-2024-0009

See a problem?
Import Source
https://github.com/haskell/security-advisories/blob/generated/osv-export/2024/HSEC-2024-0009.json
JSON Data
https://api.osv.dev/v1/vulns/HSEC-2024-0009
Aliases
Published
2024-08-01T12:52:14Z
Modified
2024-10-02T01:29:31.898661Z
Summary
Public key confusion in third-party blocks
Details

Public key confusion in third-party blocks

Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it:

  • the public key of the previous block (used in the signature);
  • the public keys part of the token symbol table (for public key interning in datalog expressions).

A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.

References

Affected packages

Hackage / biscuit-haskell

Package

Name
biscuit-haskell
Purl
pkg:hackage/biscuit-haskell

Severity

  • 3.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.3.0.0
Fixed
0.4.0.0

Affected versions

0.*

0.3.0.0
0.3.0.1