HSEC-2023-0002

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0002.json

JSON Data

https://api.test.osv.dev/v1/vulns/HSEC-2023-0002

Aliases

Related

GHSA-75rw-34q6-72cr

Published

2023-06-19T21:35:33Z

Modified

2025-07-27T20:33:51.137050Z

Summary

Improper Verification of Cryptographic Signature

Details

Improper Verification of Cryptographic Signature

The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability.

Database specific

{
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "home": "https://haskell.github.io/security-advisories",
    "repository": "https://github.com/haskell/security-advisories"
}

References

Affected packages

Hackage / biscuit-haskell

Package

Name: biscuit-haskell
Purl: pkg:hackage/biscuit-haskell

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1.0.0

Fixed

0.2.0.0

Affected versions

0.*

0.1.0.0

0.1.1.0

Database specific

{
    "human_link": "https://haskell.github.io/security-advisories/advisory/HSEC-2023-0002.html",
    "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0002.json"
}