HSEC-2024-0009
See a problem?- Import Source
- https://github.com/haskell/security-advisories/blob/generated/osv-export/2024/HSEC-2024-0009.json
- JSON Data
- https://api.osv.dev/v1/vulns/HSEC-2024-0009
- Aliases
-
- CVE-2024-41949
- CVE-2024-42350
- GHSA-47cq-pc2v-3rmp
- GHSA-p9w4-585h-g3c7
- GHSA-rgqv-mwc3-c78m
- Published
- 2024-08-01T12:52:14Z
- Modified
- 2024-10-08T04:27:03.437337Z
- Summary
- Public key confusion in third-party blocks
- Details
-
Public key confusion in third-party blocks
Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a
ThirdPartyBlockrequest can be sent, providing only the necessary info to generate a third-party block and to sign it:- the public key of the previous block (used in the signature);
- the public keys part of the token symbol table (for public key interning in datalog expressions).
A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.
- References
Affected packages
Hackage / biscuit-haskell
Package
- Name
- biscuit-haskell
- Purl
- pkg:hackage/biscuit-haskell
Severity
- 3.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N CVSS Calculator