CVE-2022-31053

Name of the Vulnerable Software and Affected Versions Biscuit versions 1

Description The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. This would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. There are no known workarounds for this issue. As Biscuit v1 was still an early version and not broadly deployed, all known users of Biscuit v1 were contacted and helped to migrate to Biscuit v2. There is no known active exploitation of this vulnerability.

Recommendations For Biscuit versions 1, migrate to Biscuit version 2 to resolve the issue, as version 2 mandates a different algorithm than gamma signatures and is not affected by this vulnerability.