2 matches found
biscuit-cli (>=0.4.1 <=0.4.2) potentially affected by CVE-2024-41949 +1 more via biscuit-auth (=4.1.1)
biscuit-auth CARGO version =4.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on biscuit-auth and may be impacted: - biscuit-cli =0.4.1, =0.4.2 Source cves: CVE-2024-41949, CVE-2024-42350 Source advisory: OSV:GHSA-P9W4-585H-G3C7...
GHSA-P9W4-585H-G3C7 biscuit-auth vulnerable to public key confusion in third party block
Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it: - the public key of the previous block used in the signature - t...