CVE-2024-41949

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions biscuit-rust (affected versions not specified)

Description The issue concerns biscuit-rust, the Rust implementation of Biscuit, an authentication and authorization token for microservices architectures. A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. This occurs because third-party blocks can be generated without transferring the whole token to the third-party authority, using a ThirdPartyBlock request that includes the public key of the previous block and the public keys part of the token symbol table.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

CVE-2024-41949

GHSA-47CQ-PC2V-3RMP

GHSA-P9W4-585H-G3C7

GHSA-RGQV-MWC3-C78M

HSEC-2024-0009

Affected Products

Biscuit-Rust

CVE-2024-41949

Weakness Enumeration

Related Identifiers

Affected Products

References · 15