CVE-2024-42350

Name of the Vulnerable Software and Affected Versions Biscuit versions prior to 4

Description The issue concerns the generation of third-party blocks in Biscuit, an authorization token with decentralized verification. A malicious user can forge a ThirdPartyBlock request, tricking the third-party authority into generating datalog that trusts the wrong keypair. This can be achieved by altering the publicKeys field in the ThirdPartyBlockRequest and replacing the actual public key with a different one, allowing the attacker to use the token without obtaining a third-party block from the intended authority.

Recommendations For versions prior to 4, update the implementation to conform to version 4 of the specification to address this issue. At the moment, there is no information about other versions that contain a fix for this vulnerability.