Lucene search

[email protected]CVE-2022-31053

HistoryJun 13, 2022 - 8:15 p.m.

CVE-2022-31053

2022-06-1320:15:07

CWE-347

[email protected]

web.nvd.nist.gov

cve-2022-31053

biscuit

authentication

authorization

microservices

vulnerability

token

gamma signatures

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.0%

JSON

Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.

Affected configurations

Vulners

NVD

Node

biscuit-authbiscuitRange1.0.0–2.0.0

biscuit-authbiscuitMatch0.1.1.0

biscuit-authbiscuitRange<2.0.0

biscuit-authbiscuitRange<2.0

CPENameOperatorVersion
biscuitsec:biscuit-authbiscuitsec biscuit-authle1.1.0
biscuitsec:biscuit-gobiscuitsec biscuit-golt2.0.0
biscuitsec:biscuit-haskellbiscuitsec biscuit-haskelleq0.1.1.0

CPE	Name	Operator	Version
biscuitsec:biscuit-auth	biscuitsec biscuit-auth	le	1.1.0
biscuitsec:biscuit-go	biscuitsec biscuit-go	lt	2.0.0
biscuitsec:biscuit-haskell	biscuitsec biscuit-haskell	eq	0.1.1.0

CNA Affected

[
  {
    "product": "biscuit",
    "vendor": "biscuit-auth",
    "versions": [
      {
        "status": "affected",
        "version": "biscuit-auth >= 1.0.0, < 2.0.0"
      },
      {
        "status": "affected",
        "version": "biscuit-haskell = 0.1.1.0"
      },
      {
        "status": "affected",
        "version": "com.clever-cloud.biscuit-java < 2.0.0"
      },
      {
        "status": "affected",
        "version": "github.com/biscuit-auth/biscuit-go < 2.0"
      }
    ]
  }
]

References

eprint.iacr.org/2020/1484

github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr

Social References

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.0%

JSON

Related for CVE-2022-31053

veracode1 osv4 cvelist1 prion1 nvd1 github1