CVE-2024-41949Improper Privilege Management in Biscuit-rust

CWE-269Improper Privilege Management4 documents3 sources
Severity
6.4MEDIUMNVD
EPSS
0.1%
top 70.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Biscuit-auth Biscuit-rustBiscuitsec Biscuit-auth
Timeline
PublishedAug 1
Latest updateNov 14

Description

biscuit-rust is the Rust implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it, which includes the public key of the previous block (used in the signature) and the public keys part of the token symbol table (for public k

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages3 packages

CVEListV5biscuit-auth/biscuit-rust< 5.0.0
crates.iobiscuitsec/biscuit-auth4.0.05.0.0

🔴Vulnerability Details

3
OSV
Public key confusion in third-party blocks2025-11-14
GHSA
biscuit-auth vulnerable to public key confusion in third party block2024-07-31
OSV
biscuit-auth vulnerable to public key confusion in third party block2024-07-31