Lucene search
PRIOn knowledge basePRION:CVE-2022-31053HistoryJun 13, 2022 - 8:15 p.m.
Authentication flaw
2022-06-1320:15:00
PRIOn knowledge base
www.prio-n.com
Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid G-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.
| CPE | Name | Operator | Version |
|---|---|---|---|
| biscuit-auth | ge | 1.0.0 | |
| biscuit-auth | le | 1.1.0 | |
| biscuit-go | lt | 2.0.0 | |
| biscuit-haskell | eq | 0.1.1.0 | |
| biscuit-java | lt | 2.0.0 |
Related
veracode
veracode
Insecure Cryptographic Function
2022-06-14 03:32:26
osv
osv
CVE-2022-31053
2022-06-13 20:15:07
Signature forgery in github.com/biscuit-auth/biscuit-go
2022-08-15 18:02:15
Signature forgery in Biscuit
2022-06-17 00:38:03
cvelist
cvelist
CVE-2022-31053 Signature forgery in Biscuit
2022-06-13 19:35:10
cve
cve
CVE-2022-31053
2022-06-13 20:15:07
github
github
Signature forgery in Biscuit
2022-06-17 00:38:03
nvd
nvd
CVE-2022-31053
2022-06-13 20:15:07