CVE-2024-42350Resource Exposure in Biscuit

CWE-668Resource Exposure3 documents2 sources
Severity
3.0LOWNVD
EPSS
0.1%
top 67.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Biscuit-auth BiscuitBiscuitsec Biscuit-auth
Timeline
PublishedAug 5
Latest updateNov 14

Description

Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol tab

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:NExploitability: 1.3 | Impact: 1.4

Affected Packages2 packages

CVEListV5biscuit-auth/biscuit< 4
crates.iobiscuitsec/biscuit-auth4.0.05.0.0

🔴Vulnerability Details

2
OSV
Public key confusion in third-party blocks2025-11-14
OSV
biscuit-auth vulnerable to public key confusion in third party block2024-07-31