Vulnerability Description
Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Biscuitsec | Biscuit-Auth | >= 1.0.0, <= 1.1.0 |
| Biscuitsec | Biscuit-Go | < 2.0.0 |
| Biscuitsec | Biscuit-Haskell | 0.1.1.0 |
| Clever-Cloud | Biscuit-Java | < 2.0.0 |
Related Weaknesses (CWE)
References
- https://eprint.iacr.org/2020/1484ExploitTechnical DescriptionThird Party Advisory
- https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72crExploitThird Party Advisory
- https://eprint.iacr.org/2020/1484ExploitTechnical DescriptionThird Party Advisory
- https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72crExploitThird Party Advisory
FAQ
What is CVE-2022-31053?
CVE-2022-31053 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-...
How severe is CVE-2022-31053?
CVE-2022-31053 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-31053?
Check the references section above for vendor advisories and patch information. Affected products include: Biscuitsec Biscuit-Auth, Biscuitsec Biscuit-Go, Biscuitsec Biscuit-Haskell, Clever-Cloud Biscuit-Java.