CVE-2024-41948

Name of the Vulnerable Software and Affected Versions biscuit-java versions prior to 4.0.0

Description The issue concerns the generation of third-party blocks for authentication and authorization tokens in microservices architectures. A malicious user can forge a third-party block request, tricking the third-party authority into generating datalog that trusts the wrong keypair. This can be achieved by altering the public keys field in the ThirdPartyBlockRequest and replacing the actual public key with a different one, allowing the attacker to use the token without obtaining a third-party block from the intended authority.

Recommendations For biscuit-java versions prior to 4.0.0, upgrade to version 4.0.0 to fix the issue. As a temporary workaround, consider restricting the use of third-party block requests until the patch is applied. Avoid using altered symbol tables in ThirdPartyBlockRequest to prevent exploitation.