CVE-2022-31053

Signature forgery in Biscuit

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.

Biscuit es un token de autenticación y autorización para arquitecturas de microservicios. La versión 1 de la especificación de Biscuit contiene un algoritmo vulnerable que permite a actores maliciosos falsificar firmas válidas. Un ataque de este tipo permitiría a un atacante crear un token con cualquier nivel de acceso. La versión 2 de la especificación impone un algoritmo diferente a las firmas gamma y, como tal, no está afectada por esta vulnerabilidad. Las implementaciones de Biscuit en Rust, Haskell, Go, Java y Javascript han publicado versiones que siguen la especificación v2. No se presentan mitigaciones conocidas para este problema

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-06-13 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2025-04-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-347: Improper Verification of Cryptographic Signature

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://eprint.iacr.org/2020/1484	2024-08-03
https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Biscuitsec Search vendor "Biscuitsec"		Biscuit-auth Search vendor "Biscuitsec" for product "Biscuit-auth"				>= 1.0.0 <= 1.1.0 Search vendor "Biscuitsec" for product "Biscuit-auth" and version " >= 1.0.0 <= 1.1.0"		rust		Affected
Biscuitsec Search vendor "Biscuitsec"		Biscuit-go Search vendor "Biscuitsec" for product "Biscuit-go"				< 2.0.0 Search vendor "Biscuitsec" for product "Biscuit-go" and version " < 2.0.0"		-		Affected
Biscuitsec Search vendor "Biscuitsec"		Biscuit-haskell Search vendor "Biscuitsec" for product "Biscuit-haskell"				0.1.1.0 Search vendor "Biscuitsec" for product "Biscuit-haskell" and version "0.1.1.0"		-		Affected
Clever-cloud Search vendor "Clever-cloud"		Biscuit-java Search vendor "Clever-cloud" for product "Biscuit-java"				< 2.0.0 Search vendor "Clever-cloud" for product "Biscuit-java" and version " < 2.0.0"		-		Affected