CVE-2022-31053 – Signature forgery in Biscuit

https://notcve.org/view.php?id=CVE-2022-31053

13 Jun 2022 — Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have pu... • https://eprint.iacr.org/2020/1484 • CWE-347: Improper Verification of Cryptographic Signature •