HSEC-2024-0009

See a problem?
Import Source
https://github.com/haskell/security-advisories/blob/generated/osv-export/2024/HSEC-2024-0009.json
JSON Data
https://api.osv.dev/v1/vulns/HSEC-2024-0009
Aliases
Published
2025-11-14T14:45:34Z
Modified
2025-11-14T18:15:43.110342Z
Summary
Public key confusion in third-party blocks
Details

Public key confusion in third-party blocks

Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it:

  • the public key of the previous block (used in the signature);
  • the public keys part of the token symbol table (for public key interning in datalog expressions).

A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.

Database specific 
{
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
}
References

Affected packages

Hackage / biscuit-haskell

Package

Name
biscuit-haskell
Purl
pkg:hackage/biscuit-haskell

Severity

  • 3.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.3.0.0
Fixed
0.4.0.0

Affected versions

0.*

0.3.0.0
0.3.0.1

Database specific

osv

"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2024/HSEC-2024-0009.json"

human_link

"https://github.com/haskell/security-advisories/tree/main/advisories/published/2024/HSEC-2024-0009.md"