Lucene search

Veracode Vulnerability DatabaseVERACODE:48396

HistoryAug 07, 2024 - 4:34 a.m.

Exposure Of Resource To Wrong Sphere

2024-08-0704:34:16

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

biscuit

software

vulnerability

exposure

resource

wrong sphere

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

AI Score

Confidence

Low

JSON

org.biscuitsec, biscuit is vulnerable to Exposure of Resource to Wrong Sphere. The vulnerability is due to the potential for third-party block requests to be forged by malicious users, tricking the third-party authority into generating datalog trusting the wrong keypair. Attackers can exploit this to generate tokens with trusted annotations through forged third-party block requests.

References

github.com/biscuit-auth/biscuit/commit/c87cbb5d778964d6574df3e9e6579567cad12fff

github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

AI Score

Confidence

Low

JSON

Related for VERACODE:48396