Skip to content

Security: biscuit-auth/biscuit

SECURITY.md

Security

Vulnerabilities

1 - 2021/05/06 - rules can generate fact with authority or ambient tags using variables

Affected versions:

  • Rust <1.1.0
  • Java: <1.1.0
  • Go: <1.0.0

Description

Rules of the format operation($ambient, #read) <- operation($ambient, $any) provided by blocks other than the authority block could be used to generate facts with the #authority or #ambient tags. This can result in elevation of privilege.

Recommandations

Upgrade immediately to non affected versions

Credits

This issue was reported by @svvac. Thanks a lot!

0 - 2021/05/06 - unbound variables in rule head

Affected versions:

  • Rust <1.0.1
  • Java: results in Null Pointer Exception in versions <1.1.0
  • Go: not affected

Description

Rules of the format operation($unbound, #read) <- operation($any1, $any2) could generate invalid facts containing variables, that would then confuse matching of other checks and make them succeed. This can result in elevation of privilege.

Recommandations

Upgrade immediately to non affected versions

Credits

This issue was reported by @svvac. Thanks a lot!

Learn more about advisories related to biscuit-auth/biscuit in the GitHub Advisory Database