CVE-2024-41948
Published: 01 August 2024
Summary
CVE-2024-41948 is a low-severity Improper Restriction of Security Token Assignment (CWE-1259) vulnerability in Biscuitsec Biscuit-Java. Its CVSS base score is 3.0 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2267
Vulnerability details
biscuit-java is the java implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary…
more
info to generate a third-party block and to sign it, which includes the public key of the previous block (used in the signature) and the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. This vulnerability is fixed in 4.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-41948 enables remote exploitation (AV:N) of the third-party block generation service in biscuit-java via forged requests (AC:H/PR:H), allowing attackers to trick authorities into issuing authorization blocks trusting attacker keypairs, facilitating privilege escalation.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.